OTPulse

ICSA-21-063-02_Schneider Electric EcoStruxure Building Operation (EBO)

MonitorCVSS 6.7ICS-CERT ICSA-21-063-02Nov 10, 2020
Schneider ElectricEnergy
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary

Schneider Electric EcoStruxure Building Operation versions 2.0 through 3.1 contain multiple vulnerabilities: improper file upload validation (CWE-434) allows uploading malicious files, cross-site scripting (CWE-79) enables code injection through web forms, XML external entity (XXE) attack vectors (CWE-611) exist in XML processing, and insufficient access controls (CWE-284) permit unauthorized actions. These flaws affect WebStation, Enterprise Server installer, WebReports, and Enterprise Central installer components. An authenticated attacker could upload files, inject malicious scripts, or manipulate system data to compromise building control operations.

What this means
What could happen
An attacker with valid user credentials could upload malicious files, inject code into web pages, or manipulate XML data in Schneider Electric EBO systems, potentially allowing them to run commands on the building management servers or alter control settings for HVAC, lighting, and other building systems.
Who's at risk
Building facilities managers and energy operators using Schneider Electric EcoStruxure Building Operation for HVAC, lighting, access control, and other building automation systems. This affects energy sector organizations managing large commercial or industrial facilities.
How it could be exploited
An attacker with a valid EBO user account accesses the WebStation, Enterprise Server, or WebReports application over the network. The attacker uploads a malicious file (CWE-434), injects script code into web forms (CWE-79), or submits specially crafted XML payloads (CWE-611) that bypass access controls (CWE-284). This could lead to unauthorized command execution on the Enterprise Server that controls building automation logic.
Prerequisites
  • Valid EBO user account credentials
  • Network access to WebStation, Enterprise Server, or WebReports web interface (typically port 80 or 443)
  • User interaction required (user must click or interact with injected content)
  • Knowledge of EBO application functionality
Requires valid user credentials for exploitationMultiple vulnerability types (file upload, XSS, XXE, access control)No patch available for versions 2.0-3.1Affects building automation and safety-related systems
Exploitability
Some exploitation risk — EPSS score 1.5%
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
WebStation: v2.0 - v3.1≥ 2.0 | ≤ 3.13.2
WebReports: v1.9 - v3.1≥ 1.9 | ≤ 3.13.2
Enterprise Central installer: v2.0 - v3.1≥ 2.0 | ≤ 3.13.2
WebReports V1.9 - V3.1≥ 1.9|≤ 3.13.2
Enterprise Server installer V1.9 - V3.1≥ 1.9|≤ 3.13.2
Enterprise Central installer V2.0 - V3.1≥ 2.0|≤ 3.13.2
WebStation V2.0 - V3.1≥ 2.0|≤ 3.13.2
Enterprise Server installer: v1.9 - v3.1≥ 1.9 | ≤ 3.13.2
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDRestrict network access to EBO WebStation, Enterprise Server, and WebReports to authorized internal networks only; block direct internet access
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade EcoStruxure Building Operation to version 3.2 or later
HOTFIXIf unable to upgrade immediately, apply the hotfix patch referenced in SEVD-2020-315-04 to versions prior to 3.2
Long-term hardening
0/2
HARDENINGImplement firewall rules to isolate building management network from corporate business network
HARDENINGRequire multi-factor authentication for all EBO user accounts with access to administrative functions
View full CISA ICS-CERT advisory
API: /api/v1/advisories/8482dabf-d0b7-44c7-b24e-669e0502246b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

ICSA-21-063-02_Schneider Electric EcoStruxure Building Operation (EBO) | CVSS 6.7 - OTPulse