Schneider Electric EcoStruxure Operator Terminal Expert runtime (Vijeo XD)
Plan Patch7.4ICS-CERT ICSA-20-336-01Dec 1, 2020
Attack VectorLocal
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
EcoStruxure Operator Terminal Expert Runtime contains a privilege escalation vulnerability in the BIOS loader on systems using legacy BIOS mode. A local user with access to the Windows PC or Harmony iPC can exploit this flaw to execute arbitrary commands with system privileges, potentially compromising workstation integrity and the ability to safely operate downstream control systems. The vulnerability affects versions 3.1 Service Pack 1A and earlier. Systems using UEFI BIOS mode are not vulnerable.
What this means
What could happen
A local user with physical or remote access to the engineering workstation running EcoStruxure Operator Terminal Expert could execute arbitrary commands with system privileges, potentially altering HMI configurations, process setpoints, or disabling operator visibility and control of industrial equipment.
Who's at risk
Water utilities and power plants using Schneider Electric EcoStruxure Operator Terminal Expert on Windows engineering workstations or Harmony iPC (HMIG5U series) HMI devices should assess their risk. This is critical for any organization where engineering workstations configure or control SCADA/HMI systems. The vulnerability only affects legacy BIOS systems—organizations already using UEFI are protected by design.
How it could be exploited
An attacker with local access to a Windows PC or Harmony iPC running the vulnerable software (version 3.1 SP1A or earlier with legacy BIOS) can exploit the privilege escalation flaw to run unauthorized commands. The vulnerability requires the attacker to already be logged into or have physical access to the engineering workstation—this is not a network attack.
Prerequisites
- Local or physical access to the Windows engineering workstation or Harmony iPC
- EcoStruxure Operator Terminal Expert Runtime version 3.1 Service Pack 1A or earlier installed
- Legacy BIOS mode enabled (not UEFI)
- User account on the workstation (no elevated credentials required for initial access)
Local access required (not remotely exploitable)Low complexity attack once access is gainedNo authentication needed beyond workstation accessAffects engineering workstations and HMI configuration devicesLegacy BIOS systems only—UEFI mitigates by design
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Harmony iPC (HMIG5U HMIG5U2) using legacy BIOS EcoStruxure Operator Terminal Expert Runtime: 3.1 Service Pack 1A and prior installed≤ 3.1 Service Pack 1A3.1 Service Pack 1B
Windows PC using legacy BIOS EcoStruxure Operator Terminal Expert Runtime: 3.1 Service Pack 1A and prior installed≤ 3.1 Service Pack 1A3.1 Service Pack 1B
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDRestrict physical and remote access to engineering workstations running EcoStruxure Operator Terminal Expert—only authorized engineers should have access
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate EcoStruxure Operator Terminal Expert Runtime to version 3.1 Service Pack 1B or later via Schneider Electric Software Update (SESU)
HARDENINGIdentify and convert Windows PCs from legacy BIOS to UEFI mode (check BIOS mode using msinfo32.exe; systems in UEFI mode are not vulnerable)
HARDENINGHarden engineering workstations with antivirus, OS security updates, strong password policies, and application whitelisting per Schneider Electric best practices
Long-term hardening
0/1HARDENINGIsolate engineering workstations on a separate management network segment, not directly accessible from business networks or the Internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cbdb84ea-51d2-454c-89ad-39dbf6594030