Schneider Electric Harmony HMI and Pro-Face HMI Products
Plan PatchCVSS 8.8ICS-CERT ICSA-25-010-02Dec 10, 2024
Schneider ElectricEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Schneider Electric Harmony HMI panels (HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7 series with EcoStruxure Operator Terminal Expert Software) and Pro-face HMI panels (PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100 series with Pro-face BLUE Software) contain a vulnerability in obsolete third-party components that could allow an authenticated attacker to execute arbitrary code, resulting in complete loss of control, integrity, and confidentiality of the device and operational failure of supervised equipment.
What this means
What could happen
An authenticated attacker with access to these HMI panels could execute arbitrary code and gain complete control over device operations, potentially causing loss of monitoring and control of critical industrial processes, system shutdown, or unsafe machine states.
Who's at risk
Water utilities and municipal electric utilities operating Schneider Electric Harmony HMI panels (HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7 series) or Pro-Face BLUE HMI panels (PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100 series) for SCADA monitoring and equipment control should apply mitigations immediately, as these devices are critical interfaces for plant operations and no vendor patch is available.
How it could be exploited
An attacker with valid credentials and network access to the Harmony or Pro-face HMI panel can exploit the obsolete third-party component vulnerability to execute arbitrary code on the device. Once code execution is achieved, the attacker can modify control logic, disable alarms, alter setpoints, or shut down supervised equipment.
Prerequisites
- Valid credentials for the HMI panel (engineering or operator account)
- Network access to the HMI panel management or runtime interface
- Knowledge of the device's IP address and port
No patch availableAffects safety systems and operational controlRequires valid credentials but low complexity exploitationCould enable complete loss of process control
Exploitability
Unlikely to be exploited — EPSS score 0.4%
Affected products (2)
2 pending
ProductAffected VersionsFix Status
Harmony (Formerly Magelis) HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7 series with EcoStruxureTM Operator Terminal Expert runtime All versionsAll versionsNo fix yet
PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100 series with Pro-face BLUE runtime All versionsAll versionsNo fix yet
Remediation & Mitigation
0/6
Do now
0/3HARDENINGIsolate all Harmony and Pro-face HMI panels from the business network using a firewall; allow only necessary maintenance traffic from designated engineering workstations on a separate control network.
HARDENINGRestrict physical access to the HMI panel by placing it in a locked cabinet; ensure it is never left in 'Program' mode outside of scheduled maintenance.
HARDENINGDisable remote access to the HMI panel unless absolutely required; if remote access is necessary, enforce VPN-based access with multi-factor authentication and restrict it to designated jump servers.
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HARDENINGImplement network segmentation so HMI panels are on a dedicated industrial control network segment with restricted routing to business IT networks; block all inbound traffic from the Internet.
HARDENINGScan all removable media (USB drives, CDs) and devices before connecting them to the HMI panel or any control network node; maintain an inventory of approved engineering workstations.
HARDENINGEnforce strict credential policies for HMI access (strong passwords, no shared accounts); audit and disable unused operator and engineering accounts.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5147960c-7c3a-46c3-b8ed-20994a754278Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.