Schneider Electric PowerLogic PM8ECC Cross-site Scripting Vulnerability

Monitor6.1ICS-CERT ICSA-16-173-02Mar 25, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Schneider Electric PowerLogic PM8ECC (firmware version 2.651 and earlier) contains a cross-site scripting (XSS) vulnerability in its web interface. An attacker can inject malicious JavaScript code that executes in the browser of any user who interacts with a crafted link or compromised web page while accessing the PM8ECC interface. The vulnerability affects the web management interface used by technicians to configure and monitor the power metering device.

What this means

What could happen

An attacker could inject malicious code into the PowerLogic PM8ECC web interface that would execute in the browser of an engineering technician who visits a compromised page, potentially allowing credential theft or session hijacking.

Who's at risk

Energy sector operators managing Schneider Electric PowerLogic PM8ECC power monitoring and control devices should be concerned. This primarily affects engineering and operations staff who access the device's web interface to configure settings, monitor power data, and manage the meter.

How it could be exploited

An attacker crafts a malicious link containing embedded JavaScript code and sends it to an authorized user (e.g., via email or a compromised website). When the user clicks the link and accesses the PM8ECC web interface, the script executes in their browser within the context of the device's web application, potentially capturing session cookies or credentials.

Prerequisites

Network access to the PowerLogic PM8ECC web interface (typically port 80/443)
User interaction required: an authorized technician must click a malicious link or visit a compromised page while authenticated to the device

remotely exploitablelow complexityuser interaction requiredno patch availableweb interface targeted

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

PowerLogic PM8ECC: <=Firmware_2.651≤ Firmware 2.651No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to the PM8ECC web interface using firewall rules; allow only trusted engineering workstations and monitoring stations to connect to the device.

WORKAROUNDTrain technicians to avoid clicking suspicious links and to verify URLs before entering credentials on the PM8ECC interface.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for signs of unauthorized access or credential use on the PM8ECC; review access logs regularly.

Mitigations - no patch available

0/1

PowerLogic PM8ECC: <=Firmware_2.651 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate the PM8ECC on a dedicated management VLAN with restricted egress to the internet.

CVEs (1)

CVE-2016-4513

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0373d626-56ea-4a88-b64b-bd60c3f2e756