Schneider Electric CNM
Monitor7.8ICS-CERT ICSA-21-287-01Oct 14, 2021
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
ConneXium Network Manager (CNM) contains a vulnerability that allows arbitrary command execution when a malicious .cxn project file is loaded. The vulnerability exists because Edit Mode is enabled by default with no password protection, allowing any loaded project to modify the CNM database and execute commands. The vulnerability is not remotely exploitable and requires a user to load a malicious project file into the CNM software on a local workstation. Schneider Electric has not released a patch and recommends users apply the Alarms Disabler Tool to preprocess project files and enable Edit Mode password protection.
What this means
What could happen
An attacker with local access to a workstation running ConneXium Network Manager could execute arbitrary commands on that machine, potentially allowing them to modify control logic, alter network configurations, or disrupt plant operations by manipulating the CNM project files and database.
Who's at risk
Network managers and engineering teams at energy utilities who use Schneider Electric ConneXium Network Manager (CNM) to configure and manage industrial networks and control systems. This affects any organization using CNM for switch configuration, device management, or network administration in electrical generation, transmission, or distribution environments.
How it could be exploited
An attacker must trick a user into opening a malicious .cxn project file on a CNM workstation. When the file is loaded without the Alarms Disabler Tool preprocessing, the attacker's malicious content is executed with the privileges of the CNM application. Since Edit Mode is enabled by default with no password protection, the attacker gains full access to modify control settings and network configurations.
Prerequisites
- Local access to a workstation running ConneXium Network Manager
- User must load a malicious .cxn project file into CNM
- Edit Mode must be enabled (default condition)
- No Edit Mode password protection must be set (default condition)
Local access required (not remotely exploitable)Requires user interaction (must open malicious file)Default unsafe configuration (Edit Mode enabled, no password)Supply chain risk (malicious files via email or file sharing)Affects network infrastructure and control configuration
Exploitability
Low exploit probability (EPSS 0.9%)
Affected products (1)
ProductAffected VersionsFix Status
ConneXium Network Manager: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3WORKAROUNDDownload and run the CNM Alarms Disabler Tool on all .cxn project files before loading them into CNM, especially those from external or untrusted sources
HARDENINGActivate Edit Mode password protection in CNM by switching to Run mode before exiting the application, and require this password for any changes
HARDENINGEstablish and enforce a policy to only load .cxn project files from trusted internal sources; do not load files from email, web downloads, or third parties without verification
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGRun ConneXium Network Manager sessions with non-administrator user rights unless administrative privileges are specifically required for the current task
Mitigations - no patch available
0/1ConneXium Network Manager: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGHarden CNM workstations by applying endpoint protection, network segmentation, and access controls to limit attack surface
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e9e7c49b-116f-4e48-8ebd-773d4c0cac87