Schneider Electric EcoStruxure and SCADAPack

Monitor7.8ICS-CERT ICSA-21-259-02Sep 16, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A path traversal or code injection vulnerability in Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, and SCADAPack RemoteConnect allows code execution when a user opens a specially crafted project file. The vulnerability affects all current versions. Schneider Electric has not released a patch and is only establishing a future remediation plan. The vendor recommends securing project files, using checksums to verify integrity, running software with minimal privileges, and hardening workstations.

What this means

What could happen

An attacker with access to your EcoStruxure or SCADAPack project files could inject malicious code that executes when an engineer opens the file on a workstation, potentially allowing them to run commands on that machine and alter control system logic.

Who's at risk

Energy companies using Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, or SCADAPack RemoteConnect for engineering and control of power systems should be aware of this risk. It affects engineering workstations where operators and engineers develop and modify control logic and device configurations.

How it could be exploited

An attacker must first obtain a project file used by EcoStruxure Control Expert, EcoStruxure Process Expert, or SCADAPack RemoteConnect. This typically happens via social engineering, intercepted file transfer, or if the file is stored in an accessible location. When an engineer opens the compromised file, the malicious code executes with the privileges of that user. If the user has administrator rights, the attacker gains full control of the engineering workstation.

Prerequisites

Access to project files (obtained through file theft, interception, or social engineering)
Engineer must open the compromised file on a workstation running the affected software
Ideally, the engineer should have administrator privileges for broader impact

No patch available from vendorAffects engineering workstations (compromised logic could alter control system behavior)File-based attack vector (common in ICS environments where files are shared and moved between systems)Low complexity attack (requires only file access and user action)

Exploitability

Low exploit probability (EPSS 1.0%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

EcoStruxure Control Expert: AllAll versionsNo fix (EOL)

EcoStruxure Process Expert: AllAll versionsNo fix (EOL)

SCADAPack RemoteConnect for x70: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/4

HARDENINGStore project files in a secure location with restricted access (only trusted engineers)

HARDENINGUse secure communication protocols (e.g., encrypted channels) when exchanging project files over the network

WORKAROUNDCompute checksums on all project files and verify them before opening to detect tampering

HARDENINGRun EcoStruxure and SCADAPack software without administrator rights to limit impact if a file is compromised

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGHarden engineering workstations running the affected software (apply OS patches, disable unnecessary services, restrict local access)

HOTFIXMonitor for vendor-provided patch availability and apply when released

CVEs (1)

CVE-2021-22797

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cb7be272-fc46-4f38-9264-0ade4558735a