PatchSiren cyber security CVE debrief
CVE-2023-52238 Siemens CVE debrief
CVE-2023-52238 is a medium-severity information disclosure vulnerability affecting Siemens RUGGEDCOM industrial network devices. The web server on affected systems exposes MACsec (Media Access Control Security) keys in cleartext to authenticated users. An attacker with low-privileged credentials can retrieve these cryptographic keys and subsequently decrypt Ethernet frames intended for authorized recipients, undermining the confidentiality protections MACsec is designed to provide. The vulnerability was disclosed on July 9, 2024, with an advisory update on August 12, 2025, expanding the scope to include additional RUGGEDCOM RSG2100P and RSG2100PNC (32M) models for V4.x and V5.x firmware versions. The CVSS 3.1 score of 4.3 reflects network attack vector, low attack complexity, low privileges required, and low confidentiality impact. Siemens has released firmware version 5.9.0 or later to address this issue.
- Vendor
- Siemens
- Product
- RUGGEDCOM i800
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-09
- Original CVE updated
- 2025-08-12
- Advisory published
- 2024-07-09
- Advisory updated
- 2025-08-12
Who should care
Organizations operating Siemens RUGGEDCOM industrial network infrastructure in critical infrastructure sectors including energy, transportation, and manufacturing. Security teams responsible for OT/ICS network segmentation and cryptographic key management. Compliance officers addressing NERC CIP or similar requirements for secure communications in industrial environments.
Technical summary
The vulnerability exists in the web server implementation of Siemens RUGGEDCOM industrial Ethernet switches and related devices. When a user authenticates to the web management interface, the system exposes MACsec pre-shared keys or configuration data in cleartext within server responses or page content. MACsec (IEEE 802.1AE) provides hop-by-hop encryption and authentication for Ethernet frames. Compromise of these keys allows an attacker with network access to decrypt traffic between MACsec-protected endpoints, effectively neutralizing the security control. The attack requires valid low-privileged credentials, making credential theft or brute force a prerequisite. The exposure occurs server-side, suggesting inadequate output encoding or access controls on sensitive configuration data.
Defensive priority
medium
Recommended defensive actions
- Apply Siemens firmware update to version 5.9.0 or later for affected RUGGEDCOM devices
- If web server functionality is not required, disable the web server on affected systems
- Restrict network access to TCP ports 80 and 443 to trusted IP addresses only
- Review and rotate MACsec keys if compromise is suspected
- Monitor for unauthorized access attempts to device management interfaces
- Implement network segmentation to limit exposure of industrial control system devices
- Apply defense-in-depth strategies per CISA ICS recommended practices
Evidence notes
The vulnerability description and affected products are derived from CISA CSAF advisory ICSA-24-193-06, which references Siemens security advisory SSA-170375. The MACsec key exposure occurs through the web server interface to authenticated sessions. The August 12, 2025 modification expanded affected product listings to include RUGGEDCOM RSG2100P (32M) and RSG2100PNC (32M) for V4.x and V5.x firmware versions.
Official resources
-
CVE-2023-52238 CVE record
CVE.org
-
CVE-2023-52238 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-09