Schneider Electric EcoStruxure, EcoStruxure Process Expert, SCADAPack RemoteConnect for x70

Act Now9.8ICS-CERT ICSA-22-223-03Aug 11, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities (CWE-122, CWE-191, CWE-120, CWE-125) in Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, and SCADAPack RemoteConnect for x70 allow execution of malicious files with elevated privileges. Exploitation occurs when a user opens a crafted project file on an affected workstation, potentially enabling an attacker to run arbitrary code with system-level access.

What this means

What could happen

An attacker could execute malicious code with elevated privileges on engineering workstations running EcoStruxure Control Expert, EcoStruxure Process Expert, or SCADAPack RemoteConnect, potentially allowing them to modify control logic, alter setpoints, or disrupt plant operations.

Who's at risk

Power generation and distribution companies, water utilities, and other critical infrastructure operators using Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert (formerly HDCS), or SCADAPack RemoteConnect for x70 on engineering workstations. This affects anyone managing PLCs, automation logic, or industrial process control systems with these Schneider products.

How it could be exploited

An attacker crafts a malicious project file and tricks an operator or engineer into opening it on an affected workstation. The vulnerability allows the malicious file to execute code with elevated privileges, giving the attacker control of the engineering workstation and potentially the ability to modify or deploy compromised control logic to PLCs and other devices on the network.

Prerequisites

User must open a malicious project file from an untrusted source on a workstation running affected software
The workstation must have one of the affected products installed and running
No network access required; exploitation is file-based

No authentication required for exploitationLow complexity attackNo patch available for older versionsAffects engineering workstations with elevated system privilegesActively used in critical infrastructure

Exploitability

Moderate exploit probability (EPSS 6.7%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

EcoStruxure Control Expert: All< 15.1 HF001 (including former Unity Pro)15.1 HF001

EcoStruxure Process Expert: All< 2021 (including former HDCS)2021

SCADAPack RemoteConnect for x70: All< R2.7.3R2.7.3

Remediation & Mitigation

0/10

Do now

0/3

HARDENINGRestrict access to project files to trusted users only and enforce secure file storage practices

HARDENINGUse secure communication channels (e.g., encrypted protocols) when exchanging project files over the network

HARDENINGEstablish a policy to only open project files received from verified trusted sources

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure Control Expert to version 15.1 HF001 or later

HOTFIXUpdate EcoStruxure Process Expert to version 2021 or later

HOTFIXUpdate SCADAPack RemoteConnect for x70 to version R2.7.3 or later

HARDENINGCompute and regularly verify file hashes of project files to detect tampering before use

Long-term hardening

0/3

HARDENINGApply hardening measures to all workstations running EcoStruxure Control Expert, EcoStruxure Process Expert, or SCADAPack RemoteConnect

HARDENINGIsolate control system networks behind firewalls and restrict network connectivity from business networks and the Internet

HARDENINGConsider migrating from Unity Pro to EcoStruxure Control Expert if still using the legacy product

CVEs (13)

CVE-2021-21810 CVE-2021-21825 CVE-2021-21829 CVE-2021-21830 CVE-2021-21811 CVE-2021-21812 CVE-2021-21813 CVE-2021-21814 CVE-2021-21815 CVE-2021-21826 CVE-2021-21827 CVE-2021-21828 CVE-2022-26507

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close