Schneider Electric Zelio Soft 2

Plan Patch7.8ICS-CERT ICSA-19-008-01Jan 8, 2019

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Zelio Soft 2 is vulnerable to use-after-free (CWE-416) that allows remote code execution when opening a specially crafted project file. The vulnerability is triggered by user interaction with a malicious file and does not require network access.

What this means

What could happen

An attacker could execute arbitrary code on the engineering workstation running Zelio Soft 2, potentially allowing modification or deletion of control logic for Zelio relays and small PLCs. This could disrupt process control, alter setpoints, or prevent legitimate control operations.

Who's at risk

Energy sector operators who use Zelio Soft 2 to program Zelio relays and small programmable logic controllers (PLCs) should be aware that engineering workstations running this software are at risk. This includes municipal utilities, industrial facilities, and any organization using Schneider Electric's Zelio control devices.

How it could be exploited

An attacker crafts a malicious Zelio Soft 2 project file and tricks an engineer into opening it (via email, file share, or social engineering). When opened, the use-after-free flaw triggers code execution with the privileges of the engineering workstation user. The attacker could then modify or extract the control logic, or use the workstation as a pivot point to access other systems on the network.

Prerequisites

User interaction required (engineer must open the malicious project file)
File access to the engineering workstation running Zelio Soft 2

Local code execution via file interactionLow complexity attackUser interaction requiredNo authentication requiredAffects engineering workstations and control logic

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (1)

ProductAffected VersionsFix Status

Zelio Soft 2:≤ 5.15.2

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDEducate staff not to open unsolicited project files or email attachments from untrusted sources

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Zelio Soft 2 to version 5.2 or later

Long-term hardening

0/2

HARDENINGSegregate engineering workstations from the business network using firewalls

HARDENINGApply defense-in-depth strategies including network segmentation between engineering and control networks

CVEs (1)

CVE-2018-7817

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bd46fdd3-6326-4eae-a664-88689a113256