Publication Date:
Last Update:
Current Version: V1.4
CVSS v3.1 Base Score: 7.6
CVSS v4.0 Base Score: 8.8
Un-/Collapse All
Affected Product and Versions Remediation
Expand children
Update to V7.2 or later version
Expand children
Open for details
Expand children
Open for details
Expand children
Currently no fix is planned
Expand children
Currently no fix is planned
Expand children
Update to V4.4 or later version
Expand children
Update to V6.6 or later version

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

CVSS v3.1 Base Score 7.6
CVSS v3.1 Vector CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS v4.0 Base Score 8.8
CVSS v4.0 Vector CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE CWE-94: Improper Control of Generation of Code ('Code Injection')
CVSS v3.1 Base Score 6.5
CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS v4.0 Base Score 7.1
CVSS v4.0 Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CVSS v3.1 Base Score 5.7
CVSS v3.1 Vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CVSS v4.0 Base Score 5.2
CVSS v4.0 Vector CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
CWE CWE-257: Storing Passwords in a Recoverable Format
CVSS v3.1 Base Score 2.7
CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CVSS v4.0 Base Score 5.1
CVSS v4.0 Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CWE CWE-1284: Improper Validation of Specified Quantity in Input
CVSS v3.1 Base Score 6.5
CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS v4.0 Base Score 7.1
CVSS v4.0 Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE CWE-664: Improper Control of a Resource Through its Lifetime

https://www.siemens.com/cert/advisories
V1.0 (2022-12-13): Publication Date
V1.1 (2023-03-14): Added fix for SCALANCE WxM-700 family, RUGGEDCOM RM1224 family, SCALANCE M-800 family, SCALANCE MUM-800 family and SCALANCE S615 family
V1.2 (2023-04-11): Added fix to SCALANCE XB-200, XC-200, XP-200, XF-200BA, XR-300WG and XR-500 families
V1.3 (2023-10-10): Removed SCALANCE WAM766-1 6GHz devices with MLFBs 6GK5766-1JE00 as they are currently still unreleased, updated CVE-2022-34821 still unfixed and no fix planned for SCALANCE W-700 IEEE 802.11ax family
V1.4 (2025-01-14): SCALANCE W-700 IEEE 802.11ax family: added fix for CVE-2022-34821, corrected fix for CVE-2022-46143 and clarified that the devices were also affected by CVE-2022-46144 with fix in V2.0.0; added CVSSv4 vectors for all CVE IDs