Schneider Electric PowerLogic PM8ECC Hard-coded Password Vulnerability

Act Now9.1ICS-CERT ICSA-16-292-01Jul 22, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

PowerLogic PM8ECC contains a hard-coded password vulnerability that allows unauthenticated network access to device management functions. The device ships with a fixed credential that cannot be changed through normal administration, enabling an attacker on the network to log in and modify device configuration.

What this means

What could happen

An attacker with network access could log in to the PM8ECC using the hard-coded password and modify meter configuration, disable alarms, or alter power measurement settings used for billing, demand response, and grid operations.

Who's at risk

Electrical utilities and energy management operators responsible for power metering and monitoring. The PowerLogic PM8ECC is used in energy measurement, power quality monitoring, and billing systems. Any facility using PM8ECC for power data collection should assume the device is vulnerable to unauthorized administrative access.

How it could be exploited

An attacker on the network sends a login request to the PM8ECC with the hard-coded credential, gains administrative access without needing any user-supplied password, and can then reconfigure the device to change power readings, disable monitoring, or cause operational disruptions.

Prerequisites

Network access to PM8ECC web interface or management port
Knowledge of the hard-coded credential (publicly disclosed)
No authentication bypass needed—credential is unchangeable

Remotely exploitableNo authentication required—hard-coded credentialLow complexity exploitationNo patch availableDefault credentials cannot be changed

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

PowerLogic PM8ECC: <=2.651≤ 2.651No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate PM8ECC devices from untrusted networks using network segmentation, firewall rules, or air-gapping from external connectivity

WORKAROUNDRestrict access to PM8ECC management ports (HTTP/HTTPS and Modbus TCP) to only authorized administrative workstations using firewall rules or access control lists

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor PM8ECC for unauthorized login attempts and configuration changes; alert on any administrative access

Mitigations - no patch available

0/1

PowerLogic PM8ECC: <=2.651 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGEvaluate replacement or retirement of PM8ECC units given no vendor fix is available and device is end-of-life or unsupported

CVEs (1)

CVE-2016-5818

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a7250306-415f-4bd4-9aed-0da70f387e9b