PatchSiren cyber security CVE debrief
CVE-2023-1206 Siemens CVE debrief
CVE-2023-1206 describes a denial-of-service condition tied to a hash-collision flaw in the Linux kernel IPv6 connection lookup table. According to the advisory, a new kind of SYN flood attack can push CPU usage on an IPv6-accepting server to very high levels, and the attack can be launched by a user on the local network or by a high-bandwidth connection. Siemens maps the issue to multiple SCALANCE WAB/WAM/WUB/WUM product variants and recommends updating to V3.0.0 or later. CISA published the advisory on 2025-02-11 and later issued a revision on 2025-05-06 that only fixed typos.
- Vendor
- Siemens
- Product
- SCALANCE WAB762-1 (6GK5762-1AJ00-6AA0)
- CVSS
- MEDIUM 5.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-11
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-02-11
- Advisory updated
- 2025-05-06
Who should care
OT/ICS operators and network defenders responsible for Siemens SCALANCE WAB/WAM/WUB/WUM devices, especially deployments that accept IPv6 traffic and may be reachable from a local network segment or high-bandwidth uplink.
Technical summary
The source advisory states that a hash collision flaw in the Linux kernel IPv6 connection lookup table can be abused through a SYN flood pattern to create excessive CPU load. The reported impact is availability-only (CVSS 3.1 vector AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), with CPU usage reported as high as 95% on affected servers. Siemens’ CSAF advisory associates the issue with 19 SCALANCE product variants and directs operators to install V3.0.0 or later.
Defensive priority
Medium. The issue is availability-focused and requires network proximity or significant bandwidth, but it can still meaningfully disrupt affected SCALANCE deployments and any IPv6-accepting service path.
Recommended defensive actions
- Apply Siemens remediation: update affected products to V3.0.0 or later.
- Confirm whether any SCALANCE WAB/WAM/WUB/WUM devices in the environment accept IPv6 traffic and prioritize those exposed on reachable segments.
- Restrict access to management and service interfaces to trusted networks only, especially where local-network reachability is sufficient for abuse.
- Monitor for abnormal CPU spikes or sustained connection-table pressure on affected devices and adjacent network services.
- Use segmentation and rate-limiting controls where feasible to reduce exposure to high-volume connection floods.
- Track the Siemens and CISA advisories for any follow-up guidance, but note that the available revision in this source set is described as typo fixes only.
Evidence notes
Primary evidence comes from the CISA CSAF source item and Siemens references. The source explicitly describes the IPv6 hash-collision/SYN-flood CPU exhaustion condition and lists 19 affected SCALANCE products with the fix version V3.0.0 or later. CISA’s advisory page and Siemens’ CSAF/HTML advisory are the most relevant authoritative references. The available timeline shows initial publication on 2025-02-11 and a later revision on 2025-05-06 that corrected typos; those dates are advisory dates, not the original flaw introduction date.
Official resources
-
CVE-2023-1206 CVE record
CVE.org
-
CVE-2023-1206 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA/Siemens advisory set on 2025-02-11, with a later advisory revision on 2025-05-06 that only fixed typos. No Known Exploited Vulnerabilities (KEV) entry is listed in the provided enrichment.