Remote Code Execution Vulnerability in Siemens SCALANCE Devices
CVE-2022-26648

8.2HIGH

Key Information:

Vendor: Siemens
Status: Scalance X200-4p Irt; Scalance X201-3p Irt; Scalance X201-3p Irt Pro; Scalance X202-2irt
Vendor: CVE Published:; 12 July 2022

Summary

A vulnerability exists in various Siemens SCALANCE devices where affected versions fail to validate the GET parameter 'XNo' from incoming HTTP requests. This oversight can permit an unauthenticated remote attacker to exploit the device's functionality, potentially resulting in a device crash and service interruption. Organizations using these devices should urgently apply the necessary updates to lessen risk.

Affected Version(s)

SCALANCE X200-4P IRT All versions < V5.5.2

SCALANCE X201-3P IRT All versions < V5.5.2

SCALANCE X201-3P IRT PRO All versions < V5.5.2

References

https://cert-portal.siemens.com/productcert/pdf/ssa-31003...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jul 12, 2022
Vulnerability Reserved
Mar 7, 2022