---
title: "Siemens SCALANCE Wi-Fi Devices Hit by 15 Critical Vulnerabilities"
short_title: "Siemens SCALANCE critical Wi-Fi flaws"
description: "Siemens releases urgent update for SCALANCE W-700 devices to fix 15 vulnerabilities, including RCE and authentication bypass flaws. Patch now to secure industrial networks."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [siemens, scalance, wi-fi, cve-2023-44373, industrial-security]
score: 0.87
cve_ids: [CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373]
---
## TL;DR
Siemens has patched 15 critical vulnerabilities in its SCALANCE W-700 IEEE 802.11n family of industrial Wi-Fi devices, including flaws enabling remote code execution (RCE), authentication bypass, and denial-of-service (DoS) attacks. Organizations using affected devices must update to version 6.6.0 or later to mitigate risks in critical infrastructure sectors like manufacturing and communications.
Main Content
### Siemens SCALANCE Wi-Fi Devices Face Multi-Vulnerability Crisis
Siemens has issued a critical security advisory for its SCALANCE W-700 IEEE 802.11n family of industrial Wi-Fi devices, addressing 15 severe vulnerabilities that could expose organizations to remote attacks. These flaws, ranging from remote code execution (RCE) to authentication bypass and denial-of-service (DoS), affect multiple device models deployed worldwide in sectors such as critical manufacturing, communications, and information technology[^1].
The vulnerabilities, disclosed by Siemens ProductCERT, highlight systemic risks in industrial Wi-Fi infrastructure, where insecure configurations and outdated firmware can serve as entry points for threat actors. With a CVSS score of 9.1 for the most severe flaw (CVE-2022-36323), immediate action is required to prevent exploitation.
### Key Points
- 15 vulnerabilities affect Siemens SCALANCE W-700 devices, including RCE, authentication bypass, and DoS flaws.
- Critical infrastructure sectors (manufacturing, communications, IT) are at risk due to widespread deployment.
- Highest-severity flaw (CVE-2022-36323) allows authenticated attackers with administrative privileges to inject code or spawn root shells.
- Wi-Fi-specific vulnerabilities (e.g., CVE-2020-24588, CVE-2020-26140) enable packet injection and data exfiltration within Wi-Fi range.
- Siemens recommends updating to version 6.6.0 or later, alongside physical security measures like reducing Wi-Fi transmission power.
Technical Details
#### Affected Devices
The vulnerabilities impact all SCALANCE W-700 IEEE 802.11n devices running firmware versions prior to 6.6.0, including:
- SCALANCE W721-1, W722-1, W734-1, W738-1, W748-1, W761-1, W774-1, W778-1, W786-1/2, and W788-1/2 series.
- Variants with RJ45, M12, and SFP interfaces are all affected.
#### Vulnerability Breakdown
The flaws can be categorized into four primary attack vectors:
1. Wi-Fi Protocol Exploits
- CVE-2020-24588: Missing authentication for A-MSDU flags in QoS headers allows packet injection.
- CVE-2020-26140/CVE-2020-26143: Acceptance of plaintext frames in protected networks enables arbitrary packet injection.
- CVE-2020-26146/CVE-2020-26147: Reassembly of non-consecutive fragments permits data exfiltration.
2. Authentication and Authorization Flaws
- CVE-2020-26139: Unauthenticated EAPOL frame forwarding facilitates DoS attacks.
- CVE-2022-31765: Improper authorization in password change functions allows privilege escalation.
3. Code Injection and RCE
- CVE-2022-36323/CVE-2023-44373: Insufficient input sanitization leads to RCE via system root shells.
- CVE-2022-36325: DOM-based XSS via unsanitized user input in the web interface.
4. Denial-of-Service (DoS)
- CVE-2022-0778: Infinite loop in OpenSSL’s BN_mod_sqrt() function crashes devices processing malformed certificates.
- CVE-2022-36324: SSL/TLS renegotiation flaws enable brute-force DoS attacks.
#### CVSS Scores and Severity
| CVE ID | CVSS Score | Severity | Attack Vector |
|-------------------|------------|-----------|-----------------------------------|
| CVE-2022-36323 | 9.1 | Critical | Network (RCE) |
| CVE-2023-44373 | 9.1 | Critical | Network (RCE) |
| CVE-2022-31765 | 8.8 | High | Network (Privilege Escalation) |
| CVE-2021-3712 | 7.4 | High | Network (Memory Disclosure) |
| CVE-2022-0778 | 7.5 | High | Network (DoS) |
### Impact Assessment
#### Industrial Risks
SCALANCE devices are widely used in industrial control systems (ICS), where Wi-Fi connectivity bridges operational technology (OT) and IT networks. Exploitation of these vulnerabilities could lead to:
- Operational disruption: DoS attacks could halt production lines or critical communications.
- Data breaches: Packet injection and exfiltration flaws may expose sensitive industrial data.
- Unauthorized access: Authentication bypass and RCE could grant attackers control over industrial processes.
#### Attack Scenarios
1. Wi-Fi Range Exploitation: Attackers within proximity could inject malicious packets (e.g., CVE-2020-26140) to manipulate industrial traffic.
2. Privilege Escalation: Low-privilege users could escalate to admin access (CVE-2022-31765) and deploy malware.
3. Supply Chain Attacks: Compromised devices could serve as pivot points to infiltrate broader OT networks.
### Mitigation Steps
#### Immediate Actions
1. Update Firmware: Install Siemens SCALANCE W-700 version 6.6.0 or later immediately[^1].
- Download: Siemens Support Portal
2. Disable Vulnerable Features:
- Turn off A-MSDU if not required (mitigates CVE-2020-24588).
- Restrict Wi-Fi transmission power to limit attack range.
3. Physical Security: Deploy devices in controlled areas with restricted access.
#### Long-Term Strategies
- Network Segmentation: Isolate SCALANCE devices from business networks using firewalls.
- Monitoring: Implement intrusion detection systems (IDS) to detect anomalous Wi-Fi traffic.
- Regular Audits: Conduct firmware and configuration audits to ensure compliance with Siemens’ Industrial Security Guidelines.
## Conclusion
The discovery of 15 critical vulnerabilities in Siemens SCALANCE Wi-Fi devices underscores the growing risks to industrial wireless networks. With remote code execution, authentication bypass, and DoS among the threats, organizations must prioritize patching and adopt defense-in-depth strategies to protect critical infrastructure. Siemens’ advisory serves as a reminder that OT security requires proactive measures, including regular updates, network segmentation, and physical access controls.
For further support, contact Siemens ProductCERT: https://www.siemens.com/cert/advisories.
## References
[^1]: Siemens ProductCERT. "SSA-019200: Multiple Vulnerabilities in SCALANCE W-700 Devices". Retrieved 2024-10-02.
[^2]: CISA. "ICSA-26-111-07: Siemens SCALANCE Vulnerabilities". Retrieved 2024-10-02.
[^3]: MITRE. "CVE-2022-36323 Detail". Retrieved 2024-10-02.