Schneider Electric IGSS

Plan PatchCVSS 8.8ICS-CERT ICSA-23-082-04Mar 14, 2023

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

IGSS Data Server (IGSSdataServer.exe), Dashboard (DashBoard.exe), and Custom Reports (RMS16.dll) in version 16.0.0.23040 and earlier contain multiple input validation and deserialization flaws (CWE-306, CWE-345, CWE-502, CWE-22, CWE-20). These vulnerabilities allow remote code execution without authentication and can result in denial-of-service conditions, modification of dashboard/report files, or loss of SCADA control. Version 16.0.0.23041 includes corrections and is available for download from IGSS Master Update IGSS Software or directly from Schneider Electric.

What this means

What could happen

An attacker could run arbitrary code on IGSS servers, taking control of SCADA operations, or cause denial-of-service attacks that disrupt dashboard access and report generation in production environments.

Who's at risk

Energy utilities and manufacturing plants using Schneider Electric IGSS (Integrated Graphical SCADA System) version 16.0.0.23040 or earlier should prioritize this update. This affects facilities running IGSS in production mode for SCADA monitoring and control, particularly those with remote dashboard or report access.

How it could be exploited

An attacker on the network sends a specially crafted request to the IGSS Data Server, Dashboard, or Custom Reports component. The request exploits insufficient input validation and insecure deserialization (CWE-502) to achieve remote code execution. No user credentials are required, but user interaction may be needed for some attack vectors.

Prerequisites

Network access to IGSS Data Server port (typically 55000 or custom)
IGSS version 16.0.0.23040 or earlier deployed
IGSS services running (DashBoard.exe or IGSSdataServer.exe process active)

remotely exploitableno authentication requiredlow complexityno patch available initially (end-of-life product)affects SCADA control systemshigh CVSS score (8.8)

Exploitability

Some exploitation risk — EPSS score 3.9%

Affected products (6)

5 with fix1 EOL

ProductAffected VersionsFix Status

IGSS Data Server≤ 16.0.0.2304016.0.0.23041

IGSS Dashboard≤ 16.0.0.2304016.0.0.23041

Custom Reports≤ 16.0.0.23040No fix (EOL)

IGSS Data Server (IGSSdataServer.exe): V16.0.0.23040 and prior≤ 16.0.0.2304016.0.0.23041

IGSS Dashboard (DashBoard.exe): V16.0.0.23040 and prior≤ 16.0.0.2304016.0.0.23041

Custom Reports (RMS16.dll): V16.0.0.23040 and prior≤ 16.0.0.2304016.0.0.23041

Remediation & Mitigation

0/5

Do now

0/2

IGSS Data Server

HARDENINGRestrict network access to IGSS Data Server to engineering workstations and authorized control systems only

All products

WORKAROUNDEnable automatic file backup in IGSS System Configuration module under Files to protect dashboard and report files

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

IGSS Data Server

HOTFIXUpdate IGSS Data Server, Dashboard, and Custom Reports (RMS) to version 16.0.0.23041 or later

All products

HOTFIXTest the update in a non-production environment before deploying to production SCADA systems

Mitigations - no patch available

0/1

Custom Reports has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGReview and implement Schneider Electric Security Guideline for IGSS to strengthen IGSS SCADA installation security

CVEs (8)

CVE-2023-27980 CVE-2023-27982 CVE-2023-27978 CVE-2023-27981 CVE-2023-27984 CVE-2023-27977 CVE-2023-27979 CVE-2023-27983

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dbd14152-44ef-4c8a-a737-2f3f5081171b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.