Schneider Electric homeLYnk Controller (Update A)

Plan PatchCVSS 8.8ICS-CERT ICSA-17-019-01AJan 19, 2017

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

The Schneider Electric homeLYnk Controller LSS100100 contains a cross-site scripting (XSS) vulnerability in its web-based management interface. An attacker can inject malicious scripts into the controller's web application through crafted requests. If an authenticated user visits a malicious link while logged into the controller's web interface, the injected script executes in their browser session with the user's privileges, potentially allowing credential theft, session hijacking, or unauthorized modification of controller settings and automation rules.

What this means

What could happen

An attacker with network access could inject malicious script into the homeLYnk Controller's web interface, allowing them to steal credentials or manipulate energy management settings on the device. This could disrupt local power monitoring, automation rules, or building management integrations depending on what the controller manages.

Who's at risk

Energy utilities and building managers operating Schneider Electric homeLYnk Controllers for distributed energy resource management, microgrid control, or building automation. Any organization with LSS100100 units running firmware older than version 1.5.0 is at risk.

How it could be exploited

An attacker crafts a malicious URL or web request containing script code and tricks a user (e.g., via phishing) into clicking it or visiting a compromised page. When an authenticated user accesses the homeLYnk Controller web interface in the same browser session, the injected script executes and can steal session cookies, harvest credentials, or make unauthorized changes to device settings.

Prerequisites

Network access to the homeLYnk Controller web interface (HTTP/HTTPS)
User interaction required: an authenticated user must visit the malicious URL or compromised page within their browser session

Remotely exploitable over networkLow complexity attack (script injection)User interaction required but feasible via phishingNo patch available (end-of-life product)Affects energy management and automation systems

Exploitability

Some exploitation risk — EPSS score 3.2%

Affected products (1)

ProductAffected VersionsFix Status

homeLYnk Controller LSS100100: all< 1.5.0No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to the homeLYnk Controller web interface to only trusted engineering and administrative workstations using firewall rules or network segmentation

WORKAROUNDDisable web access to the controller entirely if local management is not required; use out-of-band management (serial console, engineering tool) instead

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor web access logs to the controller for suspicious requests containing script tags or unusual URL parameters

Mitigations - no patch available

0/1

homeLYnk Controller LSS100100: all has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement browser security controls: ensure users operate from separate, isolated workstations when managing critical devices; avoid browsing untrusted websites from the same system

CVEs (2)

CVE-2017-5157 CVE-2017-7689

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9e5dea2c-b396-4e5d-9949-fa2e1fb7e3a6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.