Schneider Electric Vijeo Designer and EcoStruxureâ„¢ Machine Expert (Update A)

Plan PatchCVSS 7.8ICS-CERT ICSA-25-014-02Sep 10, 2024

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Vijeo Designer (versions before 6.3_SP1) and EcoStruxure Machine Expert (all versions before 2.3) contain a privilege escalation vulnerability due to insufficient access controls. An attacker with local user access to an engineering workstation could escalate to administrator privileges, gaining unauthorized access to workstation resources and the ability to modify HMI configurations and control logic that runs on deployed Harmony and Magelis HMI devices. The vulnerability affects HMI configuration environments used in energy and manufacturing sectors.

What this means

What could happen

A user with local access to an engineering workstation running Vijeo Designer or EcoStruxure Machine Expert could escalate their privileges and gain unauthorized access to all data and functions on that workstation, potentially including the ability to modify HMI configurations and process controls.

Who's at risk

This affects operators and engineers managing Harmony and Magelis HMI devices in energy and manufacturing plants who use Vijeo Designer or EcoStruxure Machine Expert on engineering workstations. Concern is highest for sites where non-administrative personnel have workstation access or where credentials may be shared.

How it could be exploited

An attacker with a local user account on an engineering workstation could exploit insufficient privilege controls in Vijeo Designer to elevate their permissions to administrator level, allowing them to modify HMI configurations, access sensitive control logic, or interfere with the design environment used to program your Harmony or Magelis HMI devices.

Prerequisites

Local user account on the engineering workstation running Vijeo Designer or EcoStruxure Machine Expert
Vijeo Designer version prior to 6.3_SP1 or EcoStruxure Machine Expert all versions prior to 2.3 installed on the workstation

Privilege escalation vulnerabilityAffects engineering workstations that manage HMI/SCADA systemsLow attack complexityRequires local access only

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Vijeo Designer<6.3 SP16.3_SP1

EcoStruxure™ Machine ExpertAll versions6.3.2.16

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Vijeo Designer

HOTFIXUpdate Vijeo Designer to version 6.3_SP1 or later using the Schneider Electric Software Update (SESU) application

HOTFIXUpdate EcoStruxure Machine Expert to version 2.3 or later using the Schneider Electric Software Installer if the Vijeo Designer optional component is installed

Long-term hardening

0/1

HARDENINGRestrict local user account privileges on engineering workstations to remove non-administrative user ability to elevate permissions

CVEs (1)

CVE-2024-8306

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/974744b5-e955-4514-b7eb-122a39460dc8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.