Schneider Electric EcoStruxure
Monitor7.4ICS-CERT ICSA-18-354-02Dec 20, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
A vulnerability exists in Schneider Electric EcoStruxure Power SCADA Operation (PSO), EcoStruxure Energy Expert, EcoStruxure Power Monitoring Expert (PME), and related modules that allows attackers to exploit open redirect behavior (CWE-601) to conduct phishing attacks. The vulnerability requires user interaction (clicking a malicious link) but has network-wide scope, potentially affecting confidentiality and integrity of energy management systems.
What this means
What could happen
An attacker could craft a malicious link that redirects users to a phishing site impersonating the EcoStruxure application, potentially capturing operator credentials or installing malware on workstations that manage power systems, energy distribution, or monitoring operations.
Who's at risk
Electric utilities, energy distribution operators, and power system management personnel who use Schneider Electric EcoStruxure for power SCADA operations, power monitoring, energy expert management, and advanced dashboards should be aware. Operators using PME 8.2, 9.0, Energy Expert 1.3, 2.0, and PSO 8.2, 9.0 are at risk if exposed to phishing campaigns targeting their credentials.
How it could be exploited
An attacker sends an email or message containing a crafted URL to an EcoStruxure application operator. When the operator clicks the link, the vulnerable application redirects them to an attacker-controlled website that mimics the legitimate login page. The operator enters their credentials, which are captured by the attacker, who can then use those credentials to access power monitoring or SCADA systems.
Prerequisites
- User must click a malicious link sent via email or embedded in a web page
- Target user must have valid credentials to an EcoStruxure application
- EcoStruxure application must be accessible (on engineering workstations or web-based interface)
no patch available for some versionsuser interaction required (click phishing link)affects administrative/engineering systems that control critical energy infrastructurelow technical complexity to exploit
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (6)
6 pending
ProductAffected VersionsFix Status
EcoStruxure Power SCADA Operation (PSO): 8.2 Advanced Reports and Dashboards Module8.2 Advanced Reports | Dashboards ModuleNo fix yet
EcoStruxure Energy Expert:2.0No fix yet
EcoStruxure Power SCADA Operation (PSO): 9.0 Advanced Reports and Dashboards Module9.0 Advanced Reports | Dashboards ModuleNo fix yet
EcoStruxure Power Monitoring Expert (PME):8.2 (all editions)No fix yet
EcoStruxure Power Monitoring Expert (PME):9.0No fix yet
EcoStruxure Energy Expert: 1.3 (formerly Power Manager)1.3 (formerly Power Manager)No fix yet
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDDo not click on web links or open unsolicited attachments in email messages, and train operators to recognize phishing attempts targeting EcoStruxure credentials
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
EcoStruxure Power SCADA Operation (PSO): 8.2 Advanced Reports and Dashboards Module
HOTFIXUpgrade EcoStruxure Power Monitoring Expert (PME) 8.2 and Energy Expert 1.3 and PSO 8.2 Advanced Reports and Dashboards Module to the version available at the Schneider Electric security update link (CU3 General Release)
HOTFIXUpgrade EcoStruxure Power Monitoring Expert (PME) 9.0 and Energy Expert 2.0 and PSO 9.0 Advanced Reports and Dashboards Module to the version available at the Schneider Electric security update link (CU1-18328-01)
Long-term hardening
0/2HARDENINGIsolate all EcoStruxure engineering workstations and web interfaces from the business network using firewalls; restrict access to the management network only
HARDENINGEnsure all EcoStruxure programming and monitoring software is kept on isolated workstations that are never connected to any network other than the target control system network
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/40ea70a7-6ea3-492e-a6e0-0e308f50a576