OTPulse
FeedAboutContact

Schneider Electric Unity PRO Control Flow Management Vulnerability

Plan Patch7.5ICS-CERT ICSA-16-306-03Aug 5, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary

Unity PRO versions prior to V11.1 contain a control flow management vulnerability (CWE-691) that allows an attacker to inject and execute malicious code within a Unity PRO project file. When an authorized engineer downloads the compromised project to a PLC, the injected code runs with full control privileges. The vulnerability requires user interaction (project file exchange) and some social engineering or network access to deliver the malicious project file.

What this means
What could happen
An attacker with access to a Unity PRO project file could inject malicious control logic that executes when the program runs on a PLC, potentially causing unintended process changes, equipment damage, or unsafe conditions in the controlled system.
Who's at risk
Energy generation and distribution facilities using Schneider Electric Unity PRO to program and manage PLCs and automation controllers. Any organization that uses Unity PRO for industrial process control—particularly power generation, distribution, water treatment, and manufacturing—should be concerned if project files are shared or stored on networked systems.
How it could be exploited
An attacker must first obtain a Unity PRO project file (via email, shared storage, or network access) and modify it to insert malicious code in the control logic. When the compromised project is compiled and downloaded to a PLC by an engineer, the malicious code executes with the same privileges as the legitimate program.
Prerequisites
  • Access to a Unity PRO project file
  • Ability to open and edit the project file (requires Unity PRO software)
  • Social engineering or network access to share point where project files are stored
  • Engineer must download the modified project to a PLC for code execution
Control flow manipulation in safety-critical logicNo patch availableSupply chain attack vector (file-based delivery)Affects safety systems if used in critical control applications
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Unity PRO: <V11.1<V11.111.1
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRestrict file-level access to Unity PRO project files; store projects in protected network locations with access controls limited to authorized engineering staff
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement code review procedures for all Unity PRO projects before deployment to production PLCs
HARDENINGMonitor and log all file modifications to project files and PLC downloads
Long-term hardening
0/1
HARDENINGUse network segmentation to isolate engineering workstations from production control systems; require air-gapped or VPN access for downloading projects to PLCs
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/339956e8-8e2d-4a65-bd3f-2f4554aefafd
Schneider Electric Unity PRO Control Flow Management Vulnerability | CVSS 7.5 - OTPulse