ICSA-21-063-02_Schneider Electric EcoStruxure Building Operation (EBO)

Monitor6.7ICS-CERT ICSA-21-063-02Mar 4, 2021

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

Schneider Electric EcoStruxure Building Operation versions 2.0 through 3.1 contain multiple vulnerabilities: improper file upload validation (CWE-434) allows uploading malicious files, cross-site scripting (CWE-79) enables code injection through web forms, XML external entity (XXE) attack vectors (CWE-611) exist in XML processing, and insufficient access controls (CWE-284) permit unauthorized actions. These flaws affect WebStation, Enterprise Server installer, WebReports, and Enterprise Central installer components. An authenticated attacker could upload files, inject malicious scripts, or manipulate system data to compromise building control operations.

What this means

What could happen

An attacker with valid user credentials could upload malicious files, inject code into web pages, or manipulate XML data in Schneider Electric EBO systems, potentially allowing them to run commands on the building management servers or alter control settings for HVAC, lighting, and other building systems.

Who's at risk

Building facilities managers and energy operators using Schneider Electric EcoStruxure Building Operation for HVAC, lighting, access control, and other building automation systems. This affects energy sector organizations managing large commercial or industrial facilities.

How it could be exploited

An attacker with a valid EBO user account accesses the WebStation, Enterprise Server, or WebReports application over the network. The attacker uploads a malicious file (CWE-434), injects script code into web forms (CWE-79), or submits specially crafted XML payloads (CWE-611) that bypass access controls (CWE-284). This could lead to unauthorized command execution on the Enterprise Server that controls building automation logic.

Prerequisites

Valid EBO user account credentials
Network access to WebStation, Enterprise Server, or WebReports web interface (typically port 80 or 443)
User interaction required (user must click or interact with injected content)
Knowledge of EBO application functionality

Requires valid user credentials for exploitationMultiple vulnerability types (file upload, XSS, XXE, access control)No patch available for versions 2.0-3.1Affects building automation and safety-related systems

Exploitability

Moderate exploit probability (EPSS 1.5%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

WebStation: v2.0 - v3.1≥ 2.0 | ≤ 3.13.2

WebReports: v1.9 - v3.1≥ 1.9 | ≤ 3.13.2

Enterprise Central installer: v2.0 - v3.1≥ 2.0 | ≤ 3.13.2

Enterprise Server installer: v1.9 - v3.1≥ 1.9 | ≤ 3.13.2

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to EBO WebStation, Enterprise Server, and WebReports to authorized internal networks only; block direct internet access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade EcoStruxure Building Operation to version 3.2 or later

HOTFIXIf unable to upgrade immediately, apply the hotfix patch referenced in SEVD-2020-315-04 to versions prior to 3.2

Long-term hardening

0/2

HARDENINGImplement firewall rules to isolate building management network from corporate business network

HARDENINGRequire multi-factor authentication for all EBO user accounts with access to administrative functions

CVEs (7)

CVE-2020-7569 CVE-2020-7570 CVE-2020-7571 CVE-2020-7572 CVE-2020-7573 CVE-2020-28209 CVE-2020-28210

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8482dabf-d0b7-44c7-b24e-669e0502246b