Schneider Electric ETG3000 FactoryCast HMI Gateway Vulnerabilities

Low RiskICS-CERT ICSA-15-020-02Oct 23, 2015

Summary

The Schneider Electric FactoryCast HMI Gateway devices (TSXETG3000, TSXETG3010, TSXETG3021, TSXETG3022) contain authentication bypass vulnerabilities (CWE-306: Missing Authentication, CWE-798: Use of Hard-Coded Credentials). These flaws allow unauthenticated remote attackers to gain unauthorized access to the gateway and potentially execute commands or modify connected industrial processes. No firmware patches are available from the vendor.

What this means

What could happen

An attacker with network access to the FactoryCast HMI Gateway could bypass authentication and gain remote access to the device, potentially allowing command execution or unauthorized configuration changes to connected industrial processes.

Who's at risk

Energy and manufacturing facilities using Schneider Electric FactoryCast HMI Gateways (TSXETG3000, TSXETG3010, TSXETG3021, TSXETG3022) for supervisory control and data acquisition are affected. This is critical for utilities with legacy automation systems and manufacturing plants relying on these devices for process visibility and remote management.

How it could be exploited

An attacker on the network can send specially crafted requests to the FactoryCast HMI Gateway to bypass authentication mechanisms due to missing or weak credential validation (CWE-306, CWE-798). Once authenticated, the attacker could interact with the gateway's control functions without valid credentials.

Prerequisites

Network access to the FactoryCast HMI Gateway (port and protocol not specified in advisory)
Device must be reachable from the attacker's network segment

remotely exploitableno authentication requiredno patch availableaffects industrial control systemslegacy/end-of-life equipment

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

TSXETG3000: vers:all/*All versionsNo fix (EOL)

TSXETG3010: vers:all/*All versionsNo fix (EOL)

TSXETG3021: vers:all/*All versionsNo fix (EOL)

TSXETG3022: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate FactoryCast HMI Gateway devices to a protected network segment using firewall rules and network segmentation; restrict access to engineering workstations and automation servers only

WORKAROUNDImplement network access controls (firewall rules) to limit inbound connections to the gateway from trusted IP ranges and control ports

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to and from FactoryCast HMI Gateway devices for unauthorized access attempts or unusual command patterns

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: TSXETG3000: vers:all/*, TSXETG3010: vers:all/*, TSXETG3021: vers:all/*, TSXETG3022: vers:all/*. Apply the following compensating controls:

HARDENINGDevelop and maintain an inventory of all FactoryCast ETG3000-series gateways in your environment to track exposure

CVEs (2)

CVE-2014-9197 CVE-2014-9198

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/028c06f0-32c2-4b0c-bd3f-578c5ab37ad5