Schneider Electric homeLYnk Controller (Update A)
Plan Patch8.8ICS-CERT ICSA-17-019-01AJan 19, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
The Schneider Electric homeLYnk Controller LSS100100 contains a cross-site scripting (XSS) vulnerability in its web-based management interface. An attacker can inject malicious scripts into the controller's web application through crafted requests. If an authenticated user visits a malicious link while logged into the controller's web interface, the injected script executes in their browser session with the user's privileges, potentially allowing credential theft, session hijacking, or unauthorized modification of controller settings and automation rules.
What this means
What could happen
An attacker with network access could inject malicious script into the homeLYnk Controller's web interface, allowing them to steal credentials or manipulate energy management settings on the device. This could disrupt local power monitoring, automation rules, or building management integrations depending on what the controller manages.
Who's at risk
Energy utilities and building managers operating Schneider Electric homeLYnk Controllers for distributed energy resource management, microgrid control, or building automation. Any organization with LSS100100 units running firmware older than version 1.5.0 is at risk.
How it could be exploited
An attacker crafts a malicious URL or web request containing script code and tricks a user (e.g., via phishing) into clicking it or visiting a compromised page. When an authenticated user accesses the homeLYnk Controller web interface in the same browser session, the injected script executes and can steal session cookies, harvest credentials, or make unauthorized changes to device settings.
Prerequisites
- Network access to the homeLYnk Controller web interface (HTTP/HTTPS)
- User interaction required: an authenticated user must visit the malicious URL or compromised page within their browser session
Remotely exploitable over networkLow complexity attack (script injection)User interaction required but feasible via phishingNo patch available (end-of-life product)Affects energy management and automation systems
Exploitability
Moderate exploit probability (EPSS 3.2%)
Affected products (1)
ProductAffected VersionsFix Status
homeLYnk Controller LSS100100: all< 1.5.0No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGRestrict network access to the homeLYnk Controller web interface to only trusted engineering and administrative workstations using firewall rules or network segmentation
WORKAROUNDDisable web access to the controller entirely if local management is not required; use out-of-band management (serial console, engineering tool) instead
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor web access logs to the controller for suspicious requests containing script tags or unusual URL parameters
Mitigations - no patch available
0/1homeLYnk Controller LSS100100: all has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement browser security controls: ensure users operate from separate, isolated workstations when managing critical devices; avoid browsing untrusted websites from the same system
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/9e5dea2c-b396-4e5d-9949-fa2e1fb7e3a6