Security Experts:

Connect with us

Hi, what are you looking for?



ICS Patch Tuesday: Siemens, Schneider Electric Fix Only 11 Vulnerabilities

Industrial giants Siemens and Schneider Electric have addressed less than a dozen vulnerabilities in their August 2022 Patch Tuesday advisories, far fewer than in most of the previous months.

Industrial giants Siemens and Schneider Electric have addressed less than a dozen vulnerabilities in their August 2022 Patch Tuesday advisories, far fewer than in most of the previous months.

It’s not uncommon for these companies to address 50 vulnerabilities on a Patch Tuesday, and in some cases their advisories even covered 100 vulnerabilities. This week, however, they only published four advisories each, to inform customers about a total of just 11 vulnerabilities.

Major companies that typically patch a significant number of vulnerabilities each month do occasionally only address a small number of flaws, so it’s too soon to conclude that the products of these vendors have become more secure or that they don’t get as much attention from security researchers.


Siemens’ four advisories describe seven security holes. The company informed customers that some of its SCALANCE switches, routers, security appliances and wireless communication devices are affected by three vulnerabilities.

One of the flaws, rated ‘critical’, can allow an authenticated attacker with admin privileges to inject code or spawn a root shell. A high-severity flaw allows an unauthenticated attacker to remotely cause a DoS condition, and a medium-severity issue can be exploited for XSS attacks by an attacker with admin privileges.

A fix is currently only available for SCALANCE SC-600 security appliances and some of the impacted products will not get patches.

In the Teamcenter software, Siemens patched two high-severity flaws that can lead to remote code execution or a DoS condition.

Learn more about vulnerabilities in industrial systems at

SecurityWeek’s ICS Cyber Security Conference

The company has informed customers about one medium-severity information disclosure vulnerability in Simcenter STAR-CCM+ and one medium-severity authentication bypass issue affecting the SICAM A8000 web server module. The Simcenter flaw has yet to be fixed and Siemens does not plan on patching the SICAM vulnerability.

Schneider Electric

Schneider Electric’s four advisories describe one vulnerability each. Based on CVSS score — which can be misleading in the case of ICS products — the most important advisory describes a critical issue in EcoStruxure Control Expert, EcoStruxure Process Expert, and Modicon M580 and M340 products. The security hole is related to a weak password recovery mechanism and it can allow an attacker to gain unauthorized access to a device.

In Modicon PLC and PAC products, Schneider fixed a high-severity vulnerability that can lead to a DoS condition, as well as a high-severity flaw that can lead to the exposure of sensitive information, such as password hashes and project data.

A DoS vulnerability that can be exploited using specially crafted project files has been fixed in the EcoStruxure Control Expert product.

Schneider Electric has released patches and mitigations for each of the vulnerabilities.

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address Over 80 Vulnerabilities

Related: ICS Patch Tuesday: Siemens, Schneider Fix Several Critical Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...