Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation Products

Act Now9.8ICS-CERT ICSA-23-290-01Oct 17, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A deserialization vulnerability (CWE-502) in Schneider Electric EcoStruxure Power Monitoring Expert, Power Operation with Advanced Reports, and Power SCADA Operation with Advanced Reports allows unauthenticated remote code execution. The vulnerability exists in versions PME 2023, 2022, 2021, EPO 2022, and 2021. Successful exploitation enables an attacker to execute arbitrary commands on the affected server without requiring credentials or user interaction.

What this means

What could happen

An attacker with network access to an affected EcoStruxure system could execute arbitrary code on the monitoring or operations server, potentially allowing them to alter power distribution settings, disable alarms, or disrupt visibility into electrical system status.

Who's at risk

Energy sector organizations operating Schneider Electric EcoStruxure Power Monitoring Expert, Power Operation with Advanced Reports, or Power SCADA Operation with Advanced Reports should prioritize this critical issue. These systems are typically used by electric utilities, large industrial facilities, and municipal power authorities to monitor and control electrical distribution, substations, and generation assets.

How it could be exploited

An attacker sends a specially crafted network request to the vulnerable EcoStruxure service (port and protocol unspecified in advisory). The service deserializes untrusted data without validation, allowing the attacker to instantiate arbitrary objects and execute code on the server.

Prerequisites

Network reachability to the affected EcoStruxure service
No credentials or authentication required

Remotely exploitableNo authentication requiredLow attack complexityCritical CVSS score (9.8)Affects operations visibility and controlNo patch publicly available yet (contact required)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

EcoStruxure Power Operation with Advanced Reports: <Hotfix-145271<Hotfix-145271Hotfix-145271 (available through Schneider Electric Customer Care)

EcoStruxure Power SCADA Operation with Advanced Reports: <Hotfix-145271<Hotfix-145271Hotfix-145271 (available through Schneider Electric Customer Care)

EcoStruxure Power Monitoring Expert: <Hotfix-145271<Hotfix-145271Hotfix-145271 (available through Schneider Electric Customer Care)

Remediation & Mitigation

0/6

Do now

0/5

HOTFIXContact Schneider Electric Customer Care Center to obtain and apply the available Hotfix to EcoStruxure Power Monitoring Expert (versions 2021, 2022, 2023)

HOTFIXContact Schneider Electric Customer Care Center to obtain and apply the available Hotfix to EcoStruxure Power Operation with Advanced Reports (versions 2021, 2022)

HOTFIXContact Schneider Electric Customer Care Center to obtain and apply the available Hotfix to EcoStruxure Power SCADA Operation with Advanced Reports (versions 2021, 2022)

HARDENINGPlace EcoStruxure servers and all power monitoring/operations infrastructure behind firewalls and isolate from business networks

HARDENINGEnsure EcoStruxure servers are not directly accessible from the Internet or untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIf remote access to EcoStruxure is required, use VPN with current security patches

CVEs (1)

CVE-2023-5391

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/00673b92-dd92-4e79-99be-c3a7a8f0d7d5