Schneider Electric EcoStruxure Operator Terminal Expert

Plan Patch8.6ICS-CERT ICSA-20-142-02May 21, 2020

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior contain SQL injection (CWE-89), path traversal (CWE-22), and command injection (CWE-88) vulnerabilities. These flaws allow local attackers with user interaction to execute arbitrary commands or write to arbitrary files, potentially compromising project files and control system configuration. The vulnerabilities are not remotely exploitable but can be triggered by opening malicious project files.

What this means

What could happen

An attacker with local access to a workstation running EcoStruxure Operator Terminal Expert could execute arbitrary commands or modify project files, potentially altering control logic or plant configuration without authorization.

Who's at risk

Energy sector operators and system integrators who use EcoStruxure Operator Terminal Expert (formerly Vijeo XD) for HMI/SCADA workstations. This affects any organization that depends on this software for monitoring and controlling process automation systems, particularly power generation and distribution facilities.

How it could be exploited

An attacker must first gain local access to a workstation where EcoStruxure Operator Terminal Expert is installed. They could then exploit path traversal, SQL injection, or command injection vulnerabilities to modify project files or execute arbitrary code. This could be facilitated by tricking a user into opening a malicious project file from an untrusted source.

Prerequisites

Local access to the workstation running EcoStruxure Operator Terminal Expert 3.1 SP1 or earlier
User interaction required (e.g., opening a malicious project file)
EcoStruxure Operator Terminal Expert software must be installed and running

Local access requiredUser interaction requiredNo patch available for version 3.1 SP1 (only SP1A mentioned)Affects control system configuration and logicPath traversal and injection flaws allow unauthorized write access

Exploitability

Moderate exploit probability (EPSS 1.5%)

Affected products (1)

ProductAffected VersionsFix Status

EcoStruxure Operator Terminal Expert 3.1: Service Pack 1 and prior (formerly known as Vijeo XD)3.1 SP13.1 Service Pack 1A

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDRestrict execution of EcoStruxure Operator Terminal Expert to non-administrator user accounts

WORKAROUNDOnly accept project files from trusted users and disable auto-execution of project files

WORKAROUNDEnable password protection when saving project files and enforce strong password policy for application users

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate to EcoStruxure Operator Terminal Expert Version 3.1 Service Pack 1A

Long-term hardening

0/3

HARDENINGImplement application whitelisting to control what software can run on workstations

HARDENINGApply antivirus software and keep the Windows operating system patched

HARDENINGIsolate workstations running EcoStruxure Operator Terminal Expert on a trusted network segment away from untrusted systems

CVEs (5)

CVE-2020-7493 CVE-2020-7494 CVE-2020-7495 CVE-2020-7496 CVE-2020-7497

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7d30ede7-3a1d-4b4e-97a5-8091cbff1224