Schneider Electric Vijeo Citect, CitectSCADA, PowerLogic SCADA Vulnerability
Low RiskICS-CERT ICSA-13-217-02May 8, 2013
Summary
Schneider Electric Vijeo Citect, CitectSCADA, and PowerLogic SCADA versions 7.20 and earlier contain an XML External Entity (XXE) injection vulnerability (CWE-611). The vulnerability allows an attacker to process malicious XML input, potentially leading to information disclosure or denial of service.
What this means
What could happen
An attacker could send crafted XML files to the SCADA system to read sensitive files from the server or cause the application to become unresponsive, disrupting monitoring and control of power or process systems.
Who's at risk
Energy sector organizations operating Schneider Electric SCADA platforms (Vijeo Citect, CitectSCADA, PowerLogic SCADA) for power distribution, generation monitoring, or process control should assess their exposure. This affects utilities managing electrical grids, substations, and industrial power systems.
How it could be exploited
An attacker with network access to the affected SCADA application could submit a malicious XML file that exploits the XXE vulnerability. The application would parse the XML and potentially expose sensitive configuration files or crash the service.
Prerequisites
- Network access to the SCADA application
- Ability to submit XML input to the application (e.g., via file upload, API, or direct protocol)
- Application must parse untrusted XML without proper validation
No patch availableAffects SCADA control systemsXML parsing vulnerability
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
CitectSCADA: <=7.20≤ 7.20No fix (EOL)
PowerLogic SCADA: <=7.20≤ 7.20No fix (EOL)
Vijeo Citect: <=7.20≤ 7.20No fix (EOL)
Remediation & Mitigation
0/6
Do now
0/2HARDENINGImplement network segmentation to isolate SCADA systems from untrusted networks and limit XML input sources to authorized systems only
WORKAROUNDDisable or restrict XML import/processing features if not required for operations
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGApply input validation and filtering rules at firewalls or proxies to block suspicious XML payloads (e.g., DOCTYPE declarations, SYSTEM entities)
HARDENINGMonitor SCADA system logs for unusual XML processing errors or file access attempts
Long-term hardening
0/1HOTFIXPlan upgrade to replacement SCADA platform with vendor support and security patches
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: CitectSCADA: <=7.20, PowerLogic SCADA: <=7.20, Vijeo Citect: <=7.20. Apply the following compensating controls:
HARDENINGImplement defense-in-depth controls including role-based access, multi-factor authentication for administrative access, and network monitoring
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/265319a0-a160-4b98-85fe-f759d8166d19