Security Experts:

Connect with us

Hi, what are you looking for?



ICS Patch Tuesday: Siemens, Schneider Electric Address Over 100 Vulnerabilities

Siemens and Schneider Electric have addressed more than 100 vulnerabilities with their March 2023 Patch Tuesday security advisories.

Siemens and Schneider Electric have addressed more than 100 vulnerabilities with their March 2023 Patch Tuesday security advisories.


Siemens has released only seven new advisories, but they describe a total of 92 vulnerabilities. However, a vast majority are introduced by the use of third-party components rather than being specific to Siemens products.

For instance, 65 vulnerabilities affecting components such as the Linux kernel, Busybox, OpenSSL and OpenVPN have been patched in Ruggedcom and Scalance products. Exploitation of these flaws can lead to a denial of service (DoS) condition or to code injection.

Seventeen vulnerabilities affecting third-party components have been patched in Scalance devices. Exploitation of these security holes can lead to a DoS condition or the disclosure of sensitive data.

Siemens has also announced that several OpenSSL vulnerabilities have been addressed in Scalance W1750D devices. 

A high-severity DoS vulnerability affecting Wind River VxWorks has been patched in Siprotec 5 devices.

[ Read: Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms ] 

In addition to vulnerabilities affecting third-party components, Siemens has informed customers about a critical authentication bypass issue affecting the Mendix SAML module. 

The company has also disclosed privilege escalation, information disclosure, and SQL injection bugs in Ruggedcom Crossbow devices, including high-severity issues. 

It’s worth noting that Siemens has yet to release actual patches for some of these vulnerabilities. In some cases, only mitigations are currently available. 

Schneider Electric

Schneider Electric has published three new advisories covering a total of 10 vulnerabilities. 

One advisory describes a critical vulnerability in PowerLogic power meters. The flaw can be exploited for DoS attacks or remote code execution.

Another advisory describes eight security holes found in the IGSS SCADA product. Various modules of IGSS are affected by DoS and remote code execution issues that have been assigned ‘high’ and ‘medium’ severity ratings. 

The last advisory informs users about a session hijacking issue affecting the EcoStruxure Power Monitoring Expert product.

Siemens and Schneider on Tuesday also updated dozens of previous advisories to inform customers about the availability of patches, new CVEs, changes in affected product lists, and other information.

Related: Siemens Drives Rise in ICS Vulnerabilities Discovered in 2022

Related: ICS Patch Tuesday: 100 Vulnerabilities Addressed by Siemens, Schneider Electric

Related: 2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).