CVE-2023-25366 – This vulnerability in Siglent SDS oscilloscopes... (How to Fix)

Q: What is the severity of CVE-2023-25366?

CVE-2023-25366 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Siglent SDS oscilloscopes allows attackers to retrieve the web interface password through the insecure SCPI interface. It affects users of Siglent SDS 1104X-E devices running vulnerable firmware, potentially exposing administrative credentials.

📋 TL;DR

This vulnerability in Siglent SDS oscilloscopes allows attackers to retrieve the web interface password through the insecure SCPI interface. It affects users of Siglent SDS 1104X-E devices running vulnerable firmware, potentially exposing administrative credentials.

💻 Affected Systems

Products:

Siglent SDS 1104X-E

Versions: SDS1xx4X-E_V6.1.37R9.ADS and likely earlier versions

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires SCPI interface to be enabled (default state).

📦 What is this software?

Sds 1104x E Firmware by Siglent

View all CVEs affecting Sds 1104x E Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attackers to modify device settings, capture sensitive measurement data, or use the device as a network pivot point.

🟠

Likely Case

Unauthorized access to the web interface leading to configuration changes, data theft, or denial of service.

🟢

If Mitigated

Limited impact if device is isolated from untrusted networks and SCPI interface is disabled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple SCPI command execution to retrieve credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://siglent.com

Restart Required: No

Instructions:

Check Siglent website for firmware updates. If available, download and install via USB or network update.

🔧 Temporary Workarounds

Disable SCPI Interface

all

Turn off the SCPI interface if not required for operations.

Navigate to device settings > Interface > SCPI > Disable

Network Segmentation

all

Isolate oscilloscope on separate VLAN without internet access.

🧯 If You Can't Patch

Disable web interface entirely if not needed
Implement strict firewall rules to block all external access to device

🔍 How to Verify

Check if Vulnerable:

Connect to device via SCPI (port 5025) and send command to retrieve web password.

Check Version:

Check device System Info menu or use SCPI command *IDN?

Verify Fix Applied:

Attempt same SCPI command; should return error or no password.

📡 Detection & Monitoring

Log Indicators:

Unusual SCPI command patterns
Multiple failed web login attempts

Network Indicators:

Unexpected connections to port 5025 (SCPI)
Traffic to web interface from unusual sources

SIEM Query:

source_port:5025 OR destination_port:5025 | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-25366

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-346

Published: June 16, 2023

Last Updated: December 12, 2024

🔗 References

https://github.com/BretMcDanel/CVE/blob/main/CVE-2023-25366.md Third Party Advisory
https://siglent.com Product
https://github.com/BretMcDanel/CVE/blob/main/CVE-2023-25366.md Third Party Advisory
https://siglent.com Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25366, you might also want to check these: