Injection Vulnerability in SCALANCE W700 802.11 AX Family Before V2.4

Act Now9.1SSA-721642Sep 10, 2024

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

A command injection vulnerability exists in SCALANCE W700 802.11 AX wireless access points due to insufficient input sanitization in the device configuration interface. An attacker with administrative credentials can inject arbitrary commands that execute with device privileges, potentially allowing full compromise of the access point. Affected models include SCALANCE WAB762-1, WAM763-1, WAM766-1, WUB762-1, WUM763-1, and WUM766-1 (various regional variants) running firmware versions prior to V2.4.0.

What this means

What could happen

An attacker with administrative credentials could inject malicious commands into the SCALANCE W700 wireless access point configuration, potentially gaining full control of the device and using it to compromise connected industrial networks or intercept sensitive communications.

Who's at risk

Organizations operating Siemens SCALANCE W700 series 802.11 AX wireless access points in industrial networks should prioritize this update. These devices are commonly used in manufacturing plants, utility substations, and other critical infrastructure to provide wireless connectivity for mobile engineering workstations, process monitoring devices, and temporary installations. Access point compromise could allow an attacker to intercept or manipulate communications between control systems and operator interfaces.

How it could be exploited

An attacker with admin credentials accesses the device's management interface (web or SSH) and injects shell commands into a configuration parameter or input field that is not properly sanitized. The injected commands execute with device privileges, allowing the attacker to modify device behavior, access network traffic, or establish persistence.

Prerequisites

Valid administrative credentials for the SCALANCE device
Network access to the device management interface (web UI on port 80/443 or SSH on port 22)
Knowledge of the injection point in the configuration interface

Remotely exploitable via management interfaceRequires administrative credentialsCritical CVSS score (9.1)Affects wireless network infrastructure in control environmentsCommand injection allows full device compromise

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (16)

16 with fix

ProductAffected VersionsFix Status

SCALANCE WAB762-1< V2.4.02.4.0

SCALANCE WAM763-1< V2.4.02.4.0

SCALANCE WAM763-1 (ME)< V2.4.02.4.0

SCALANCE WAM763-1 (US)< V2.4.02.4.0

SCALANCE WAM766-1 (EU)< V2.4.02.4.0

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict administrative access to SCALANCE devices to authorized engineering workstations only using network firewall rules or access control lists

HARDENINGChange default administrative credentials and enforce strong password policies on all SCALANCE devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected SCALANCE W700 802.11 AX devices to firmware version V2.4.0 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate wireless access point management traffic from general plant network traffic

CVEs (1)

CVE-2023-44373

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1386f2e1-af13-45f7-9fc7-d9425fce7e40