Login Sign Up

CVE-2023-49691

7.2 HIGH

📋 TL;DR

This vulnerability allows malicious local administrators to execute arbitrary operating system commands with root privileges by exploiting improper input sanitization in the DDNS configuration handling. It affects multiple Siemens RUGGEDCOM and SCALANCE industrial networking devices running firmware versions below V8.0. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:
  • RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2)
  • RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2)
  • SCALANCE M804PB (6GK5804-0AP00-2AA2)
  • SCALANCE M812-1 ADSL-Router (6GK5812-1AA00-2AA2)
  • SCALANCE M812-1 ADSL-Router (6GK5812-1BA00-2AA2)
  • SCALANCE M816-1 ADSL-Router (6GK5816-1AA00-2AA2)
  • SCALANCE M816-1 ADSL-Router (6GK5816-1BA00-2AA2)
  • SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2)
  • SCALANCE M874-2 (6GK5874-2AA00-2AA2)
  • SCALANCE M874-3 (6GK5874-3AA00-2AA2)
  • SCALANCE M876-3 (6GK5876-3AA02-2BA2)
  • SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2)
  • SCALANCE M876-4 (6GK5876-4AA10-2BA2)
  • SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2)
  • SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2)
  • SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1)
  • SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1)
  • SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1)
  • SCALANCE S615 EEC LAN-Router (6GK5615-0AA01-2AA2)
  • SCALANCE S615 LAN-Router (6GK5615-0AA00-2AA2)
Versions: All versions < V8.0
Operating Systems: Embedded firmware on affected devices
Default Config Vulnerable: ⚠️ Yes
Notes: All affected devices with DDNS configuration enabled are vulnerable. The vulnerability requires local administrator access to exploit.

📦 What is this software?

6gk5615 0aa00 2aa2 Firmware by Siemens

View all CVEs affecting 6gk5615 0aa00 2aa2 Firmware →

6gk5615 0aa01 2aa2 Firmware by Siemens

View all CVEs affecting 6gk5615 0aa01 2aa2 Firmware →

6gk5804 0ap00 2aa2 Firmware by Siemens

View all CVEs affecting 6gk5804 0ap00 2aa2 Firmware →

6gk5812 1aa00 2aa2 Firmware by Siemens

View all CVEs affecting 6gk5812 1aa00 2aa2 Firmware →

6gk5812 1ba00 2aa2 Firmware by Siemens

View all CVEs affecting 6gk5812 1ba00 2aa2 Firmware →

6gk5816 1aa00 2aa2 Firmware by Siemens

View all CVEs affecting 6gk5816 1aa00 2aa2 Firmware →

6gk5816 1ba00 2aa2 Firmware by Siemens

View all CVEs affecting 6gk5816 1ba00 2aa2 Firmware →

6gk5826 2ab00 2ab2 Firmware by Siemens

View all CVEs affecting 6gk5826 2ab00 2ab2 Firmware →

6gk5853 2ea00 2da1 Firmware by Siemens

View all CVEs affecting 6gk5853 2ea00 2da1 Firmware →

6gk5856 2ea00 3aa1 Firmware by Siemens

View all CVEs affecting 6gk5856 2ea00 3aa1 Firmware →

6gk5856 2ea00 3da1 Firmware by Siemens

View all CVEs affecting 6gk5856 2ea00 3da1 Firmware →

6gk5874 2aa00 2aa2 Firmware by Siemens

View all CVEs affecting 6gk5874 2aa00 2aa2 Firmware →

6gk5874 3aa00 2aa2 Firmware by Siemens

View all CVEs affecting 6gk5874 3aa00 2aa2 Firmware →

6gk5876 3aa02 2ba2 Firmware by Siemens

View all CVEs affecting 6gk5876 3aa02 2ba2 Firmware →

6gk5876 3aa02 2ea2 Firmware by Siemens

View all CVEs affecting 6gk5876 3aa02 2ea2 Firmware →

6gk5876 4aa00 2ba2 Firmware by Siemens

View all CVEs affecting 6gk5876 4aa00 2ba2 Firmware →

6gk5876 4aa00 2da2 Firmware by Siemens

View all CVEs affecting 6gk5876 4aa00 2da2 Firmware →

6gk5876 4aa10 2ba2 Firmware by Siemens

View all CVEs affecting 6gk5876 4aa10 2ba2 Firmware →

6gk6108 4am00 2ba2 Firmware by Siemens

View all CVEs affecting 6gk6108 4am00 2ba2 Firmware →

6gk6108 4am00 2da2 Firmware by Siemens

View all CVEs affecting 6gk6108 4am00 2da2 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root privileges, allowing attackers to install persistent backdoors, exfiltrate sensitive data, disrupt industrial operations, or pivot to other network segments.

🟠

Likely Case

Local administrators with malicious intent could gain unauthorized root access to execute commands, potentially disrupting network connectivity or modifying device configurations.

🟢

If Mitigated

With proper access controls limiting administrative privileges to trusted personnel only, the risk is significantly reduced as exploitation requires local administrator credentials.

🌐 Internet-Facing: LOW - The vulnerability requires local administrator access, making direct internet exploitation unlikely unless administrative interfaces are exposed.
🏢 Internal Only: HIGH - This poses significant risk in internal networks where malicious insiders or compromised administrative accounts could exploit the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local administrator credentials and knowledge of the DDNS configuration interface. No public exploit code has been identified as of the advisory date.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V8.0 or later

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-180704.html

Restart Required: Yes

Instructions:

1. Download firmware version V8.0 or later from Siemens Industrial Security. 2. Backup current device configuration. 3. Upload and install the new firmware via the device's web interface or management console. 4. Restart the device to apply changes. 5. Verify the firmware version after reboot.

🔧 Temporary Workarounds

Disable DDNS Configuration

all

Disable Dynamic DNS configuration on affected devices to prevent exploitation of this vulnerability.

Access device web interface > Network > DDNS > Disable DDNS service

Restrict Administrative Access

all

Limit administrative access to trusted personnel only and implement strong authentication controls.

Configure access control lists to restrict administrative interface access to specific IP addresses

🧯 If You Can't Patch

  • Implement strict access controls to limit administrative access to trusted personnel only
  • Disable DDNS functionality on all affected devices and monitor for unauthorized configuration changes

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface: System > Device Information > Firmware Version. If version is below V8.0, the device is vulnerable.

Check Version:

Via web interface: Navigate to System > Device Information > Firmware Version

Verify Fix Applied:

After updating, verify firmware version shows V8.0 or later in System > Device Information > Firmware Version.

📡 Detection & Monitoring

Log Indicators:

  • Unusual DDNS configuration changes
  • Unexpected system command execution logs
  • Administrative access from unusual sources or at unusual times

Network Indicators:

  • Unexpected outbound connections from affected devices
  • Anomalous traffic patterns from administrative interfaces

SIEM Query:

source="industrial_router" AND (event_type="config_change" AND config_field="ddns" OR event_type="command_execution")

📊 Metadata

CVE ID: CVE-2023-49691
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: December 12, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49691, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)