Schneider Electric SpaceLogic C-Bus Toolkit

Act Now9.8ICS-CERT ICSA-23-306-06Nov 2, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SpaceLogic C-Bus Toolkit versions 1.16.3 and earlier contain improper access control vulnerabilities (CWE-269, CWE-22) that allow unauthenticated remote code execution over the network. An attacker can send malicious commands to TCP port 20023 to execute code on the toolkit and tamper with building automation system configuration and operation. The vulnerability affects all versions up to and including 1.16.3.

What this means

What could happen

An attacker with network access to the toolkit could run arbitrary code on the SpaceLogic C-Bus system, allowing them to modify automation logic, disable safety controls, or disrupt building operations like HVAC and lighting.

Who's at risk

Building automation and energy management operators who deploy Schneider Electric SpaceLogic C-Bus Toolkit for HVAC, lighting, and facility control should prioritize this fix. This is particularly critical for organizations in the energy sector managing critical infrastructure or those running unmanned remote facilities.

How it could be exploited

An attacker on the network sends a crafted command to TCP port 20023 on the SpaceLogic C-Bus Toolkit. Because no authentication is required and the toolkit accepts the malicious command, the attacker gains the ability to execute code on the device and alter its behavior.

Prerequisites

Network access to the SpaceLogic C-Bus Toolkit on TCP port 20023
No credentials or authentication required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (25.1%)affects automation and safety systems

Exploitability

High exploit probability (EPSS 25.1%)

Affected products (1)

ProductAffected VersionsFix Status

SpaceLogic C-Bus Toolkit: <=1.16.3≤ 1.16.31.16.4

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDBlock inbound TCP port 20023 to the SpaceLogic C-Bus Toolkit using local firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SpaceLogic C-Bus Toolkit to version 1.16.4 or later

Long-term hardening

0/3

HARDENINGIsolate the C-Bus Toolkit and connected control devices from the business network using a dedicated network segment or DMZ

HARDENINGRestrict remote access to the toolkit; if remote access is required, use a VPN connection

HARDENINGEnsure programming software is connected only to the intended C-Bus network and never to any other network

CVEs (2)

CVE-2023-5402 CVE-2023-5399

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5bc19424-90af-40da-a56a-38a6051142cf