Schneider Electric EcoStruxure IT Gateway

Plan PatchCVSS 9.8ICS-CERT ICSA-24-326-05Nov 12, 2024

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A missing authorization check vulnerability exists in Schneider Electric EcoStruxure IT Gateway versions 1.21.0.6, 1.22.0.3, 1.22.1.5, and 1.23.0.4. This vulnerability allows unauthenticated remote attackers to gain unauthorized access to the gateway without proper permission controls, potentially enabling control of the gateway or retrieval of sensitive information including credentials and operational data stored or transmitted through the gateway.

What this means

What could happen

An attacker could gain unauthorized control of the EcoStruxure IT Gateway, potentially accessing sensitive operational data or manipulating the gateway's communications with your IT infrastructure monitoring systems.

Who's at risk

Energy sector operators and IT/OT infrastructure managers who deploy Schneider Electric EcoStruxure IT Gateway for cloud-based monitoring and management of IT infrastructure devices (servers, switches, UPS, environmental monitoring equipment). This includes utility companies and industrial facilities using EcoStruxure for centralized infrastructure visibility.

How it could be exploited

An attacker with network access to the EcoStruxure IT Gateway can exploit the missing authorization check to send malicious requests without authentication, allowing remote control of the gateway or extraction of stored credentials and sensitive information.

Prerequisites

Network access to the EcoStruxure IT Gateway
No authentication required

remotely exploitableno authentication requiredlow complexitycritical CVSS score (9.8)

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (1)

ProductAffected VersionsFix Status

EcoStruxure™ IT Gateway1.21.0.61.22.0.31.22.1.51.23.0.41.23.1.10

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGEnable automatic updates in EcoStruxure IT Gateway settings to receive future security patches automatically

HARDENINGRestrict network access to the EcoStruxure IT Gateway to authorized IT management systems only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure IT Gateway to version 1.23.1.10 or later

CVEs (1)

CVE-2024-10575

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/36df87d7-36c0-4a7e-8090-faf3836ff044

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.