Schneider Electric EcoStruxure
Monitor5.4ICS-CERT ICSA-25-014-03Sep 10, 2024
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
Cross-site scripting (XSS) vulnerability in Schneider Electric EcoStruxure Power Monitoring Expert, Power Operation, and Power SCADA Operation web interfaces. An authenticated attacker can inject malicious JavaScript that executes in the browser of other users, potentially allowing theft of session credentials or manipulation of system commands. The vulnerability stems from insufficient input validation in the web application (CWE-79).
What this means
What could happen
An attacker with valid credentials could inject malicious web code that executes in the browser of other operators, potentially capturing their credentials or manipulating the commands they send to monitoring and control systems for power distribution infrastructure.
Who's at risk
Electric utilities and power distribution companies using Schneider Electric's on-premises power monitoring and SCADA software should assess if they are running vulnerable versions. This affects operators and engineers who access the PME, EPO, or PSO web interfaces to monitor and control medium and lower voltage power distribution systems.
How it could be exploited
An attacker with valid login credentials injects malicious JavaScript into the PME or EPO web interface. When other operators view the affected page, the injected code runs in their browser and can steal session cookies, intercept commands to control power systems, or redirect them to a phishing site. The attacker must have network access to the web interface and valid credentials to inject the payload.
Prerequisites
- Valid user credentials to the EcoStruxure PME or EPO web interface
- Network access to the web interface port
- The vulnerable version of PME or EPO deployed in the environment
remotely exploitablerequires valid credentialsaffects operator interfacesno fix available for some products
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (7)
3 with fix4 pending
ProductAffected VersionsFix Status
EcoStruxure™ Power Monitoring Expert (PME) 2021 CU1 and prior≤ 2021 CU12021_CU2
EcoStruxure™ Power Monitoring Expert (PME) 2020 CU3 and prior≤ 2020 CU3No fix yet
EcoStruxure™ Power Operation (EPO) 2022 CU4 and prior≤ 2022 CU42022_CU5
EcoStruxure™ Power Operation (EPO) 2022 – Advanced Reporting and Dashboards Module 2022 CU4 and prior≤ 2022 CU4No fix yet
EcoStruxure™ Power Operation (EPO) 2021 CU3 Hotfix 2 and prior≤ 2021 CU3 Hotfix 22021_CU3_Hotfix_3
EcoStruxure™ Power Operation (EPO) 2021 – Advanced Reporting and Dashboards Module 2021 CU3 Hotfix 2 and prior≤ 2021 CU3 Hotfix 2No fix yet
EcoStruxure™ Power SCADA Operation 2020 (PSO) - Advanced Reporting and Dashboards Module All VersionsAll versionsNo fix yet
Remediation & Mitigation
0/6
Do now
0/1EcoStruxure™ Power Operation (EPO) 2022 CU4 and prior
WORKAROUNDFor Power Operation deployments with Advanced Reporting and Dashboards Module, verify and separately update the installed version of Power Monitoring Expert even if Power Operation patch is applied
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate EcoStruxure Power Monitoring Expert to version 2021_CU2 or later (or upgrade to 2022 version)
HOTFIXUpdate EcoStruxure Power Operation to version 2022_CU5 or later
HOTFIXUpdate EcoStruxure Power Operation to version 2021_CU3_Hotfix_3 or later
Long-term hardening
0/2EcoStruxure™ Power Monitoring Expert (PME) 2021 CU1 and prior
HARDENINGRestrict network access to the PME and EPO web interfaces using firewall rules to only authorized administrator networks and workstations
All products
HARDENINGImplement Content Security Policy (CSP) headers on the web interface to block inline script execution
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/62293477-ff8e-47bf-b7fe-e4b0cb04bfcc