Schneider Electric Zelio Soft 2

Plan Patch7.8ICS-CERT ICSA-24-284-14Oct 10, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Zelio Soft 2 versions prior to 5.4.2.2 contain use-after-free (CWE-416) and improper input validation (CWE-20) vulnerabilities. Successful exploitation could allow an attacker with local access to achieve arbitrary code execution with the privileges of the user running the application, enabling modification of control programs before deployment or exfiltration of sensitive engineering data. The vulnerabilities are triggered through file handling in the application.

What this means

What could happen

An attacker with local access to a workstation running Zelio Soft 2 could execute arbitrary code, potentially compromising the integrity of control program files used to configure field devices. This could allow unauthorized modification of logic or setpoints in connected PLCs.

Who's at risk

Energy sector organizations using Schneider Electric Zelio Soft 2 for programming and configuration of Zelio logic relays and automation devices should assess exposure. This affects any facility where Zelio devices are used for process control, including small substations, motor control centers, and distributed control points in electrical distribution systems.

How it could be exploited

An attacker would need to trick a user into opening a malicious file (likely a project file) in Zelio Soft 2, or exploit the vulnerability through user interaction while the software is running. Once exploited, the attacker gains code execution in the context of the engineering workstation, allowing them to read, modify, or delete control program files before they are deployed to field devices.

Prerequisites

Local or physical access to an engineering workstation running Zelio Soft 2 version prior to 5.4.2.2
User interaction required (opening a file or engaging with the application)
Zelio Soft 2 must be installed and running

Local exploitation requiredUser interaction required (file opening)High impact on code executionAffects engineering workstations which are typically less hardened than production systemsNo publicly disclosed exploit code as of advisory date

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Zelio Soft 2: <5.4.2.2<5.4.2.25.4.2.2

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict access to engineering workstations running Zelio Soft 2 to authorized personnel only; enforce strong authentication on workstations

HARDENINGImplement user awareness training to avoid opening untrusted project files or suspicious emails on engineering workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Zelio Soft 2 to Version 5.4.2.2 or later using the Schneider Electric Software Update (SESU) application

Long-term hardening

0/1

HARDENINGIsolate workstations running Zelio Soft 2 from internet and general business network access; place behind firewall with strict egress controls

CVEs (2)

CVE-2024-8422 CVE-2024-8518

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/879e5f1f-abd4-4f00-9d57-bfd5dc401cbb