CVE-2024-50561

Q: How do I fix CVE-2024-50561?

1. Download firmware update from Siemens Industrial Security website. 2. Backup device configuration. 3. Upload firmware update via web interface or management tools. 4. Apply update and restart device. 5. Verify firmware version after restart.

Q: What is the severity of CVE-2024-50561?

CVE-2024-50561 has a CVSS score of 4.3 (MEDIUM). This vulnerability affects multiple Siemens industrial networking devices where authenticated remote attackers can upload files with malicious filenames due to improper sanitization. This could compromise system integrity by allowing attackers to manipulate or overwrite critical files. The vulnerability impacts various RUGGEDCOM and SCALANCE router models running versions below V8.2 or V3.0.0 depending on the product line.

4.3 MEDIUM

📋 TL;DR

This vulnerability affects multiple Siemens industrial networking devices where authenticated remote attackers can upload files with malicious filenames due to improper sanitization. This could compromise system integrity by allowing attackers to manipulate or overwrite critical files. The vulnerability impacts various RUGGEDCOM and SCALANCE router models running versions below V8.2 or V3.0.0 depending on the product line.

💻 Affected Systems

Products:

RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2)
RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2)
SCALANCE M804PB (6GK5804-0AP00-2AA2)
SCALANCE M812-1 ADSL-Router (6GK5812-1AA00-2AA2)
SCALANCE M812-1 ADSL-Router (6GK5812-1BA00-2AA2)
SCALANCE M816-1 ADSL-Router (6GK5816-1AA00-2AA2)
SCALANCE M816-1 ADSL-Router (6GK5816-1BA00-2AA2)
SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2)
SCALANCE M874-2 (6GK5874-2AA00-2AA2)
SCALANCE M874-3 (6GK5874-3AA00-2AA2)
SCALANCE M874-3 3G-Router (CN) (6GK5874-3AA00-2FA2)
SCALANCE M876-3 (6GK5876-3AA02-2BA2)
SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2)
SCALANCE M876-4 (6GK5876-4AA10-2BA2)
SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2)
SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2)
SCALANCE MUM853-1 (A1) (6GK5853-2EA10-2AA1)
SCALANCE MUM853-1 (B1) (6GK5853-2EA10-2BA1)
SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1)
SCALANCE MUM856-1 (A1) (6GK5856-2EA10-3AA1)
SCALANCE MUM856-1 (B1) (6GK5856-2EA10-3BA1)
SCALANCE MUM856-1 (CN) (6GK5856-2EA00-3FA1)
SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1)
SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1)
SCALANCE S615 EEC LAN-Router (6GK5615-0AA01-2AA2)
SCALANCE S615 LAN-Router (6GK5615-0AA00-2AA2)
SCALANCE WAB762-1 (6GK5762-1AJ00-6AA0)
SCALANCE WAM763-1 (6GK5763-1AL00-7DA0)
SCALANCE WAM763-1 (ME) (6GK5763-1AL00-7DC0)
SCALANCE WAM763-1 (US) (6GK5763-1AL00-7DB0)
SCALANCE WAM766-1 (6GK5766-1GE00-7DA0)
SCALANCE WAM766-1 (ME) (6GK5766-1GE00-7DC0)
SCALANCE WAM766-1 (US) (6GK5766-1GE00-7DB0)
SCALANCE WAM766-1 EEC (6GK5766-1GE00-7TA0)
SCALANCE WAM766-1 EEC (ME) (6GK5766-1GE00-7TC0)
SCALANCE WAM766-1 EEC (US) (6GK5766-1GE00-7TB0)
SCALANCE WUB762-1 (6GK5762-1AJ00-1AA0)
SCALANCE WUB762-1 iFeatures (6GK5762-1AJ00-2AA0)
SCALANCE WUM763-1 (6GK5763-1AL00-3AA0)
SCALANCE WUM763-1 (6GK5763-1AL00-3DA0)
SCALANCE WUM763-1 (US) (6GK5763-1AL00-3AB0)
SCALANCE WUM763-1 (US) (6GK5763-1AL00-3DB0)
SCALANCE WUM766-1 (6GK5766-1GE00-3DA0)
SCALANCE WUM766-1 (ME) (6GK5766-1GE00-3DC0)
SCALANCE WUM766-1 (USA) (6GK5766-1GE00-3DB0)

Versions: All versions < V8.2 for most products, < V3.0.0 for SCALANCE W series

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices in default configuration. Authentication is required to exploit this vulnerability.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could upload malicious files that overwrite system files, potentially leading to denial of service, configuration manipulation, or privilege escalation.

🟠

Likely Case

Authenticated users could upload files with crafted filenames to manipulate device configuration or disrupt normal operations.

🟢

If Mitigated

With proper network segmentation and access controls, the impact is limited to authorized users who could still potentially cause configuration issues.

🌐 Internet-Facing: MEDIUM - If devices are exposed to the internet with authenticated access, attackers could exploit this vulnerability remotely.

🏢 Internal Only: MEDIUM - Internal authenticated users could exploit this vulnerability to affect device integrity and operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the device's web interface or management interface. The vulnerability is in filename sanitization during file upload operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V8.2 for most products, V3.0.0 for SCALANCE W series

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-354112.html

Restart Required: Yes

Instructions:

1. Download firmware update from Siemens Industrial Security website. 2. Backup device configuration. 3. Upload firmware update via web interface or management tools. 4. Apply update and restart device. 5. Verify firmware version after restart.

🔧 Temporary Workarounds

Restrict file upload access

all

Limit which users have permission to upload files to affected devices

Network segmentation

all

Isolate affected devices in separate network segments with strict access controls

🧯 If You Can't Patch

Implement strict access controls to limit which users can authenticate to affected devices
Monitor file upload activities and audit logs for suspicious filename patterns

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or CLI. If version is below V8.2 for most products or below V3.0.0 for SCALANCE W series, device is vulnerable.

Check Version:

Check via web interface: System > Device Information > Firmware Version. CLI command varies by device model.

Verify Fix Applied:

After updating, verify firmware version shows V8.2 or higher for most products, or V3.0.0 or higher for SCALANCE W series.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload activities
File upload attempts with suspicious filenames
Authentication logs from unexpected sources

Network Indicators:

HTTP POST requests to file upload endpoints
Traffic to device management interfaces from unauthorized sources

SIEM Query:

source="device_logs" AND (event="file_upload" OR event="authentication") AND (filename CONTAINS ".." OR filename CONTAINS "/" OR filename CONTAINS "\")

📊 Metadata

CVE ID: CVE-2024-50561

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

Published: November 12, 2024

Last Updated: February 11, 2025

🔗 References

https://cert-portal.siemens.com/productcert/html/ssa-354112.html Patch,Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-769027.html

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ruggedcom Rm1224 Lte\(4g\) Eu Firmware by Siemens

Ruggedcom Rm1224 Lte\(4g\) Nam Firmware by Siemens

Scalance M804pb Firmware by Siemens

Scalance M812 1 \(annex A\) Firmware by Siemens

Scalance M812 1 \(annex B\) Firmware by Siemens

Scalance M816 1 \(annex A\) Firmware by Siemens

Scalance M816 1 \(annex B\) Firmware by Siemens

Scalance M826 2 Firmware by Siemens

Scalance M874 2 Firmware by Siemens

Scalance M874 3 \(cn\) Firmware by Siemens

Scalance M874 3 Firmware by Siemens

Scalance M876 3 \(rok\) Firmware by Siemens

Scalance M876 3 Firmware by Siemens

Scalance M876 4 \(eu\) Firmware by Siemens

Scalance M876 4 \(nam\) Firmware by Siemens

Scalance M876 4 Firmware by Siemens

Scalance Mum853 1 \(a1\) Firmware by Siemens

Scalance Mum853 1 \(b1\) Firmware by Siemens

Scalance Mum853 1 \(eu\) Firmware by Siemens

Scalance Mum856 1 \(a1\) Firmware by Siemens

Scalance Mum856 1 \(b1\) Firmware by Siemens

Scalance Mum856 1 \(cn\) Firmware by Siemens

Scalance Mum856 1 \(eu\) Firmware by Siemens

Scalance Mum856 1 \(row\) Firmware by Siemens

Scalance S615 Eec Firmware by Siemens

Scalance S615 Firmware by Siemens