CVE-2022-25754

Q: What is the severity of CVE-2022-25754?

CVE-2022-25754 has a CVSS score of 8.8 (HIGH). This is a Cross-Site Request Forgery (CSRF) vulnerability in Siemens SCALANCE industrial network switches. Attackers can trick authenticated users into executing unauthorized actions on the device's web interface. All listed SCALANCE X300 and XR300 series switches with active web sessions are affected.

8.8 HIGH

CSRF

📋 TL;DR

This is a Cross-Site Request Forgery (CSRF) vulnerability in Siemens SCALANCE industrial network switches. Attackers can trick authenticated users into executing unauthorized actions on the device's web interface. All listed SCALANCE X300 and XR300 series switches with active web sessions are affected.

💻 Affected Systems

Products:

SCALANCE X302-7 EEC
SCALANCE X304-2FE
SCALANCE X306-1LD FE
SCALANCE X307-2 EEC
SCALANCE X307-3
SCALANCE X307-3LD
SCALANCE X308-2
SCALANCE X308-2LD
SCALANCE X308-2LH
SCALANCE X308-2LH+
SCALANCE X308-2M
SCALANCE X308-2M PoE
SCALANCE X308-2M TS
SCALANCE X310
SCALANCE X310FE
SCALANCE X320-1 FE
SCALANCE X320-1-2LD FE
SCALANCE X408-2
SCALANCE XR324-12M
SCALANCE XR324-12M TS
SCALANCE XR324-4M EEC
SCALANCE XR324-4M PoE
SIPLUS NET SCALANCE X308-2

Versions: All versions prior to firmware updates

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All listed voltage variants and configurations (coated, ports on front/rear) are affected. Requires active web session on the device.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to reconfigure network settings, disrupt industrial operations, or use the device as an entry point to other systems.

🟠

Likely Case

Unauthorized configuration changes leading to network disruption, data interception, or denial of service in industrial environments.

🟢

If Mitigated

Limited impact if proper network segmentation, authentication controls, and CSRF protections are implemented.

🌐 Internet-Facing: HIGH - If devices are exposed to the internet, attackers can easily exploit this via phishing or malicious websites.

🏢 Internal Only: MEDIUM - Requires internal attacker or compromised internal system, but industrial networks often have less security monitoring.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks are well-understood and easy to implement. Requires victim to have active session and visit malicious site.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Siemens advisory for specific firmware versions

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-836527.pdf

Restart Required: Yes

Instructions:

1. Download latest firmware from Siemens Industrial Security. 2. Backup current configuration. 3. Upload firmware via web interface or TFTP. 4. Reboot device. 5. Verify firmware version and restore configuration if needed.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add anti-CSRF tokens to web interface requests

Not applicable - requires code changes

Network Segmentation

all

Isolate SCALANCE devices in separate VLANs with strict firewall rules

Not applicable - network configuration required

🧯 If You Can't Patch

Restrict web interface access to trusted IP addresses only
Implement strict session timeouts and require re-authentication for sensitive actions

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System > Device Information > Firmware Version

Check Version:

Not applicable - use web interface or SNMP

Verify Fix Applied:

Verify firmware version matches patched version from Siemens advisory

📡 Detection & Monitoring

Log Indicators:

Multiple configuration changes from same session
Unexpected configuration modifications
Failed authentication attempts followed by successful requests

Network Indicators:

HTTP requests to device web interface from unexpected sources
Patterns of requests matching CSRF attack structures

SIEM Query:

source_ip=external AND dest_ip=scalance_device AND http_method=POST AND NOT user_agent=expected_browser

📊 Metadata

CVE ID: CVE-2022-25754

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: April 12, 2022

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-836527.pdf Mitigation,Patch,Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-836527.pdf Mitigation,Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Scalance X302 7eec Firmware by Siemens

Scalance X304 2fe Firmware by Siemens

Scalance X306 1ldfe Firmware by Siemens

Scalance X307 2eec Firmware by Siemens

Scalance X307 3 Firmware by Siemens

Scalance X307 3ld Firmware by Siemens

Scalance X308 2 Firmware by Siemens

Scalance X308 2ld Firmware by Siemens

Scalance X308 2lh Firmware by Siemens

Scalance X308 2lh Firmware by Siemens

Scalance X308 2m Firmware by Siemens

Scalance X308 2m Poe Firmware by Siemens

Scalance X308 2m Ts Firmware by Siemens

Scalance X310 Firmware by Siemens

Scalance X310fe Firmware by Siemens

Scalance X320 1 2ldfe Firmware by Siemens

Scalance X320 1fe Firmware by Siemens

Scalance X408 2 Firmware by Siemens

Scalance Xr324 12m Firmware by Siemens

Scalance Xr324 12m Ts Firmware by Siemens

Scalance Xr324 4m Eec Firmware by Siemens

Scalance Xr324 4m Poe Firmware by Siemens

Scalance Xr324 4m Poe Ts Firmware by Siemens

Siplus Net Scalance X308 2 Firmware by Siemens