Schneider Electric Zelio Soft 2
Plan PatchCVSS 7.8ICS-CERT ICSA-24-284-14Oct 8, 2024
Schneider ElectricEnergy
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Zelio Soft 2 versions prior to 5.4.2.2 contain use-after-free and improper input validation vulnerabilities (CWE-416, CWE-20) that could allow an attacker with local access to execute arbitrary code, achieve denial-of-service, or compromise the confidentiality and integrity of control system data. The vulnerability can be exploited through interaction with a malicious project file or crafted network resource.
What this means
What could happen
An attacker could run arbitrary code on a system running Zelio Soft 2, potentially gaining control of PLCs and field devices to alter setpoints, stop processes, or disrupt plant operations. This could also cause data loss or unauthorized access to control logic and configuration.
Who's at risk
Energy sector organizations using Zelio Soft 2 for engineering and configuration of Schneider Electric Zelio relays and controllers should prioritize this update. This affects anyone responsible for maintaining, testing, or updating Zelio devices—typically control engineers, automation technicians, and operations staff managing relay logic and field device configuration.
How it could be exploited
An attacker would need local access to a user's workstation or engineer's machine running Zelio Soft 2 (via USB, malicious file, or compromised network share). They could trigger the vulnerability through a malicious project file or by intercepting the application's memory operations, leading to code execution with the privileges of the engineering workstation user.
Prerequisites
- Local access to a machine running Zelio Soft 2
- User interaction required (opening a malicious file or visiting a network resource)
- Access to the Zelio Soft 2 installation on the engineering workstation
local code executionhigh impact to confidentiality and integrityrequires user interactionaffects engineering workstations which have broad access to control logic
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Zelio Soft 2<5.4.2.25.4.2.2
Zelio Soft 2: <5.4.2.2<5.4.2.25.4.2.2
Remediation & Mitigation
0/4
Do now
0/1Zelio Soft 2
HARDENINGRestrict network access to engineering workstations running Zelio Soft 2; limit file sharing and USB access from untrusted sources
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
Zelio Soft 2
HOTFIXUpdate Zelio Soft 2 to version 5.4.2.2 or later via the Schneider Electric Software Update (SESU) application
Long-term hardening
0/2HARDENINGIsolate the engineering workstations and the network segment containing control system devices behind a firewall, separate from the business network
HARDENINGImplement VPN for remote access to engineering environments and control systems, ensuring the VPN software is updated to the latest version
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/879e5f1f-abd4-4f00-9d57-bfd5dc401cbbGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.