CVE-2023-23455 Siemens CVE debrief

Who should care

OT/ICS defenders and Siemens SCALANCE operators should care, especially teams responsible for the listed WAB/WAM/WUB/WUM product lines and any environment running firmware/software versions earlier than the vendor-fixed release.

Technical summary

The flaw is described as a type confusion in net/sched/sch_atm.c: non-negative values can sometimes represent TC_ACT_SHOT rather than a valid classification result. The supplied CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates a local, low-privilege path with primary impact to availability. Siemens’ advisory applies the CVE to 19 SCALANCE product identifiers and states the fix is V3.0.0 or later.

Defensive priority

Medium. The score is moderate, the path is local, and there is no KEV entry in the supplied timeline, but the availability impact can matter in industrial environments.

Recommended defensive actions

• Upgrade affected Siemens SCALANCE products to V3.0.0 or later, per the vendor remediation.
• Inventory SCALANCE WAB/WAM/WUB/WUM devices to confirm whether any listed product IDs are deployed.
• Validate current firmware/software versions against the Siemens advisory before scheduling maintenance.
• Apply least-privilege and restrict local administrative access on affected systems.
• Follow CISA ICS defense-in-depth and recommended-practices guidance for segmentation, hardening, backup, and recovery planning.

Evidence notes

Primary evidence comes from the CISA CSAF source item ICSA-25-044-09 and Siemens ProductCERT references. The advisory states the CVE affects multiple Siemens SCALANCE products and that remediation is to update to V3.0.0 or later. The source revision history supplied here shows a 2025-05-06 revision for typo fixes only, not a new vulnerability date.

Official resources