The World’s Leading Information Resource For Maintenance & Engineering Professionals.

Social Media

Cross-Site-Scripting flaw discovered in Siemens SCALANCE S firewalls

Cross-Site-Scripting flaw discovered in Siemens SCALANCE S firewalls
Exploitation may allow threat actors to bypass critical firewall security functions in order to access industrial networks, putting operations and production at risk
Nelson Berg, an Applied Risk researcher, has identified a cross-site-scripting flaw in the Siemens SCALANCE S602, S612, S623, S627-2M firewalls. These are used to protect industrial networks from untrusted networks, allowing for the filtering of incoming and outgoing network connections. Exploitation of this vulnerability may allow threat actors to bypass critical security functions provided by the firewall, potentially providing unauthorised access to industrial environments. (Read More)

The Siemens SCALANCE S firewalls are used globally and are commonly found in a range of industries including oil & gas, manufacturing, chemical and power and more. The vulnerability is classified as serious and Applied Risk has given a CVSS (Common Vulnerability Scoring System) of 8.2. By working closely alongside Siemens in the responsible disclosure process, a fix has been issued by the vendor. Applied Risk recommends all those utilising the Siemens SCALANCE S firewalls to update to the latest version.

The updates are available via the following link:

To read an overview of the advisory, please visit:

About Applied Risk

Applied Risk is an established leader in Industrial Control Systems security that helps to protect assets and reduce security risk. They do this by providing organisations ranging from Fortune 500 enterprises to small-to-medium sized businesses with the services and solutions they need to transform the way they procure, build, integrate and manage their critical infrastructures. Established in 2012, Applied Risk has quickly grown to become a major cybersecurity player within the Industrial Automation and Process Control Domain.

To learn more, visit