Schneider Electric Vijeo Designer and EcoStruxureâ„¢ Machine Expert (Update A)

Plan Patch7.8ICS-CERT ICSA-25-014-02Sep 10, 2024

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Vijeo Designer and EcoStruxure Machine Expert contain an insufficient privilege escalation vulnerability that allows a local user to gain elevated privileges on an engineering workstation. This could result in unauthorized access to workstation resources and potential modification of HMI configurations and control logic. Vijeo Designer versions below 6.3_SP1 are affected. EcoStruxure Machine Expert is affected in all versions without the Vijeo Designer 6.3.2.16 update.

What this means

What could happen

An attacker with local access to an engineering workstation running Vijeo Designer or EcoStruxure Machine Expert could gain elevated privileges and take control of the HMI configuration system, potentially allowing them to modify control logic for connected Harmony and Magelis HMI devices.

Who's at risk

This affects energy and manufacturing organizations using Schneider Electric's Vijeo Designer HMI configuration software or EcoStruxure Machine Expert on engineering workstations that control Harmony and Magelis HMI devices. Any operator or technician with local workstation access could exploit this to alter HMI behavior and downstream process control.

How it could be exploited

An attacker with a local user account on an engineering workstation can exploit insufficient privilege checking in Vijeo Designer or EcoStruxure Machine Expert to escalate to higher privileges. Once escalated, the attacker can modify HMI configurations, custom applications, or logic that controls downstream industrial equipment.

Prerequisites

Local user account on the engineering workstation running Vijeo Designer or EcoStruxure Machine Expert
Vulnerable version of Vijeo Designer (below 6.3_SP1) or EcoStruxure Machine Expert (any version before 2.3 with Vijeo Designer component)

Requires local access onlyLow complexity exploitationAffects HMI/control engineering systemsCould enable unauthorized modification of industrial processes

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Vijeo Designer<6.3 SP16.3_SP1

EcoStruxure™ Machine ExpertAll versions6.3.2.16

Remediation & Mitigation

0/4

Do now

0/1

Vijeo Designer

HARDENINGRestrict local user account access to engineering workstations running Vijeo Designer or EcoStruxure Machine Expert to authorized personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Vijeo Designer

HOTFIXUpdate Vijeo Designer to version 6.3_SP1 or later using the Schneider Electric Software Update (SESU) application

HOTFIXUpdate EcoStruxure Machine Expert to version 2.3 or later, which includes the fixed Vijeo Designer 6.3.2.16 component

Long-term hardening

0/1

HARDENINGPhysically secure or air-gap engineering workstations to minimize the risk of unauthorized local access

CVEs (1)

CVE-2024-8306

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/974744b5-e955-4514-b7eb-122a39460dc8