The vulnerabilities were discovered by Eireann Leverett, Senior security consultant for IOActive and have been reported to Siemens.
The first vulnerability(CVE-2013-5944) could allow hackers to perform administrative operation over the network without authentication.
The Second vulnerability (CVE-2013-5709) could allow hackers to hijack web sessions over the network without authentication. This is due to insufficient entropy in its random number generator.
Siemens produced a patch within 3 months. Customers of Siemens are advised to apply the SCALANCE X-200 firmware update.
Eireann is scheduled to demonstrate the vulnerabilities and release proof-of-concept code for organizations to check their own devices, at next week's S4 SCADA security conference in Miami.