OTPulse
FeedAboutContact

Schneider Electric StruxureOn Gateway

Plan Patch7.2ICS-CERT ICSA-18-046-04Feb 15, 2018
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

The StruxureOn Gateway contains an arbitrary file upload vulnerability in its management interface. An attacker with administrative or engineering credentials can upload and execute malicious files on the device, potentially gaining control of building management and operational systems connected to the gateway.

What this means
What could happen
An attacker with high-level credentials could upload and execute arbitrary files on the StruxureOn Gateway, potentially compromising building management systems and connected operational equipment across your facility.
Who's at risk
Energy sector operators responsible for building management, HVAC control, and facility automation systems using StruxureOn Gateway. Facilities managers and building operators in utilities and industrial plants that rely on this gateway for remote monitoring and control.
How it could be exploited
An attacker with engineering or administrative credentials remotely accesses the StruxureOn Gateway web interface and uploads a malicious file (such as a web shell or executable) by exploiting improper file upload validation. The gateway then executes this file, giving the attacker control over the device and any systems it manages.
Prerequisites
  • High-level administrative or engineering credentials for the StruxureOn Gateway
  • Network access to the gateway's management interface (typically HTTP/HTTPS port 80 or 443)
  • The gateway must be reachable from the attacker's network location
remotely exploitablelow complexityhigh-level credentials requiredimproper input validation on file uploadsaffects building management and facility control systems
Exploitability
Moderate exploit probability (EPSS 2.8%)
Affected products (1)
ProductAffected VersionsFix Status
StruxureOn Gateway: all< 1.21.2 or later
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDRestrict administrative access to the StruxureOn Gateway management interface using firewall rules; only allow connections from trusted engineering workstations and approved networks
HARDENINGEnforce strong, unique passwords for all administrative and engineering accounts on the StruxureOn Gateway
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade StruxureOn Gateway to version 1.2 or later
Long-term hardening
0/1
HARDENINGImplement network segmentation to isolate the StruxureOn Gateway and connected building management systems on a separate VLAN from general corporate IT networks
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/afc08dad-0da6-41a5-9f63-32bb86072c23