SchneiderWEB Server Directory Traversal Vulnerability

Act NowICS-CERT ICSA-14-273-01Jul 3, 2014

Summary

SchneiderWEB web HMI servers contain a directory traversal vulnerability (CWE-22) that allows unauthorized access to files outside the intended directory structure. The vulnerability affects a wide range of Schneider Electric industrial automation controllers and network modules used in power distribution, process control, and automation systems.

What this means

What could happen

An attacker with network access to the web HMI could read sensitive configuration files, engineering data, or system information from the device, potentially revealing process logic, credentials, or network topology information. This could enable further attacks on the control system.

Who's at risk

This vulnerability affects Schneider Electric industrial automation devices across energy and manufacturing sectors, including: Modicon M340 PLCs (140CPU, 140NOC, 140NOE, 140NWM series), Modicon Quantum processors (BMXP, BMXNOC, BMXNOE, BMXNOR series), TSX Micro controllers (TSXP, TSXETY, TSXETZ, TSXWMY, TSXNTP series), and Ethernet switch modules (STB, TSXETC series). Any facility using these devices for process control, power distribution automation, or SCADA monitoring is affected.

How it could be exploited

An attacker would send HTTP requests with directory traversal sequences (e.g., ../ or URL-encoded equivalents) to the SchneiderWEB server to access files outside the web root. This could allow reading configuration files, firmware, or other sensitive data stored on the device's filesystem.

Prerequisites

Network access to the web HMI HTTP port (typically port 80 or 443)
The SchneiderWEB server must be accessible (no authentication is required to exploit the directory traversal)

remotely exploitableno authentication requiredno patch availablehigh EPSS score (18.9%)

Exploitability

High exploit probability (EPSS 18.9%)

Affected products (66)

66 pending

ProductAffected VersionsFix Status

SchneiderWEB web HMI: 140CPU65150140CPU65150No fix yet

SchneiderWEB web HMI: 171CCC96020171CCC96020No fix yet

SchneiderWEB web HMI: BMXP3420302HBMXP3420302HNo fix yet

SchneiderWEB web HMI: TSXP572623MTSXP572623MNo fix yet

SchneiderWEB web HMI: TSXP572634MTSXP572634MNo fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement network segmentation to restrict access to the SchneiderWEB HMI to authorized engineering workstations and management networks only

HARDENINGDeploy firewall rules to block direct HTTP/HTTPS access to the SchneiderWEB servers from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDUse a reverse proxy or application firewall in front of the SchneiderWEB server to filter directory traversal attack patterns

Long-term hardening

0/1

HARDENINGMonitor web server access logs for suspicious patterns such as requests containing ../ or encoded traversal sequences

CVEs (1)

CVE-2014-0754

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/141f76d0-4bf5-42b5-89c1-55c769277a98