Schneider Electric Harmony HMI and Pro-Face HMI Products
Plan Patch8.8ICS-CERT ICSA-25-010-02Dec 10, 2024
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Schneider Electric Harmony HMI panels (HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7 series) and Pro-Face HMI panels (PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100 series) contain a third-party component vulnerability (CWE-1104 - Use of Obsolete Third-Party Component) in their runtime software. An authenticated attacker with network access could exploit this flaw to execute arbitrary code on the HMI device, potentially compromising confidentiality, integrity, and availability of the device and downstream connected systems. The vulnerability affects all versions of affected products.
What this means
What could happen
An authenticated attacker with network access to a Harmony or Pro-Face HMI panel could execute arbitrary code on the device, potentially seizing control of visualization screens, altering process setpoints, or disrupting machine operations and data logging functions across the plant.
Who's at risk
Energy and manufacturing facilities using Harmony HMI panels (HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7 series) with EcoStruxure Operator Terminal Expert, and Pro-Face HMI panels (PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100 series) with Pro-Face BLUE runtime should apply these controls immediately. These panels are critical touchpoints for plant operators to visualize, control, and monitor production lines, water treatment processes, and power distribution equipment.
How it could be exploited
An attacker with valid credentials and network access to the HMI panel (port 502 or similar Modbus/OPC interface) could exploit the third-party component vulnerability to inject and execute arbitrary commands. Once on the HMI, the attacker could modify control logic, change operator displays, or push malicious commands downstream to connected PLCs and safety systems.
Prerequisites
- Valid user credentials for the HMI panel
- Network connectivity to the HMI device (LAN access or remote connection)
- Knowledge of the vulnerable third-party component used in the EcoStruxure or Pro-Face runtime
remotely exploitableauthentication required (valid credentials)low complexityno patch availableaffects visualization and control of critical operationshigh CVSS (8.8)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (2)
2 pending
ProductAffected VersionsFix Status
Harmony (Formerly Magelis) HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7 series with EcoStruxureTM Operator Terminal Expert runtime All versionsAll versionsNo fix yet
PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100 series with Pro-face BLUE runtime All versionsAll versionsNo fix yet
Remediation & Mitigation
0/6
Do now
0/3HARDENINGIsolate all Harmony and Pro-Face HMI panels behind a firewall; do not allow direct internet access or connections from business networks
HARDENINGImplement network segmentation to separate control system networks (where HMI panels reside) from business IT networks
WORKAROUNDIf remote access to HMI panels is required, use VPN with the most current version available and ensure the VPN endpoint device is fully patched
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HARDENINGRestrict physical access to HMI panels and their controllers by placing them in locked cabinets; ensure devices are not left in 'Program' mode
HARDENINGNever connect engineering workstations running EcoStruxure Operator Terminal Expert or Pro-Face design software to networks other than the target OT network; scan all removable media (USB, CDs) for malware before use on HMI networks
HARDENINGEnforce strict authentication policies for HMI panel access; disable default credentials if present and rotate user passwords regularly
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5147960c-7c3a-46c3-b8ed-20994a754278