Schneider Electric SESU

Low RiskCVSS 3.8ICS-CERT ICSA-21-336-01Nov 9, 2021

Schneider ElectricEnergy

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Software Update (SESU) versions 2.3.0 through 2.5.1 contain a vulnerability that could allow an attacker with local access to configure the software to establish an unintended connection between an internal control network and an external network. This vulnerability could bypass network isolation protections that keep control systems separated from the internet and business networks. The vulnerability is not remotely exploitable and requires physical or local access to the workstation running SESU. Schneider Electric recommends updating to a newer version of SESU and implementing network segmentation and physical access controls.

What this means

What could happen

An attacker with local access could configure SESU to establish an unintended connection from your internal control network to an external network, potentially bypassing network isolation and enabling unauthorized remote access to your systems.

Who's at risk

This affects energy sector operators and system integrators who use Schneider Electric SESU (Software Update) version 2.3.0 through 2.5.1 for managing distributed control systems, safety systems, or remote equipment updates. Primarily impacts organizations that rely on isolated networks for critical infrastructure.

How it could be exploited

An attacker with local access to a computer running SESU could modify the application's configuration to create a connection path between your isolated control network and an external network. This requires physical or local access to the workstation where SESU is installed.

Prerequisites

Local access to a workstation running SESU v2.3.0 through v2.5.1
User-level or administrative credentials on the host system
SESU configured as a managed product within the application

Requires local access to exploitNo patch available as of advisory dateAffects network isolation controls

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Schneider Electric Software Update, V2.3.0 through V2.5.1≥ 2.3.0|≤ 2.5.12.5.2

Schneider Electric Software Update: v2.3.0 through v2.5.1≥ 2.3.0 | ≤ 2.5.1No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGRestrict physical access to computers running SESU by placing them in locked rooms or locked cabinets with limited key access

HARDENINGEnsure all controllers managed by SESU are placed in locked cabinets and not left in Program mode

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SESU to the latest available version (newer than v2.5.1) if available through the automatic update prompt within SESU

HOTFIXIf automatic updates are unavailable, download and install the latest SESU version from Schneider Electric's website

Mitigations - no patch available

0/2

Schneider Electric Software Update: v2.3.0 through v2.5.1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the SESU management network from your business network using a firewall and network segmentation

HARDENINGNever connect programming or management workstations running SESU to any network other than the intended control network

CVEs (1)

CVE-2021-22799

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e45747dd-cb1f-4ec4-8f0d-a2b4b8d0014a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.