OTPulse

Schneider Electric EcoStruxure

MonitorCVSS 5.4ICS-CERT ICSA-25-014-03Sep 10, 2024
Schneider ElectricEnergy
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

Reflected cross-site scripting (XSS) vulnerability in Schneider Electric EcoStruxure Power Monitoring Expert (PME), Power Operation (EPO), and Power SCADA Operation (PSO) software. An authenticated attacker can inject malicious web code that executes in the browsers of other users viewing the same pages, potentially leading to unauthorized access to power system information or unintended control operations. Schneider Electric has released patches for PME 2021 (CU2), PME 2022, EPO 2022 (CU5), and EPO 2021 (CU3 Hotfix 3). No fixes are available for PME 2020 CU3, EPO 2022 Advanced Reporting module, EPO 2021 Advanced Reporting module, or PSO 2020 Advanced Reporting module.

What this means
What could happen
An authenticated user could inject malicious web code (XSS) that executes in the browsers of other users accessing the EcoStruxure power monitoring or operations dashboards, potentially allowing unauthorized viewing or manipulation of power system data and setpoints.
Who's at risk
Energy utilities operating medium and lower voltage distribution systems, and critical facilities managing power systems with EcoStruxure Power Monitoring Expert, Power Operation, or Power SCADA Operation software. This affects anyone relying on these platforms for power system monitoring and control dashboards.
How it could be exploited
An attacker with valid credentials logs into the EcoStruxure web interface and injects malicious JavaScript code into a field that is displayed to other users. When other users view that page, the malicious code executes in their browser with their permissions, allowing the attacker to steal session cookies, steal credentials, or issue commands to the power system on their behalf.
Prerequisites
  • Valid user account credentials for the EcoStruxure application
  • Network access to the EcoStruxure web server (typically HTTP/HTTPS port)
  • User interaction: another user must view a page containing the injected malicious code
Remotely exploitable via web interfaceRequires valid user credentialsLow complexity attack (standard XSS injection)Multiple products and versions affected with no patches available for someCould enable unauthorized view or manipulation of critical power system data
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (7)
3 with fix4 pending
ProductAffected VersionsFix Status
EcoStruxure™ Power Monitoring Expert (PME) 2021 CU1 and prior≤ 2021 CU12021_CU2
EcoStruxure™ Power Monitoring Expert (PME) 2020 CU3 and prior≤ 2020 CU3No fix yet
EcoStruxure™ Power Operation (EPO) 2022 CU4 and prior≤ 2022 CU42022_CU5
EcoStruxure™ Power Operation (EPO) 2022 – Advanced Reporting and Dashboards Module 2022 CU4 and prior≤ 2022 CU4No fix yet
EcoStruxure™ Power Operation (EPO) 2021 CU3 Hotfix 2 and prior≤ 2021 CU3 Hotfix 22021_CU3_Hotfix_3
EcoStruxure™ Power Operation (EPO) 2021 – Advanced Reporting and Dashboards Module 2021 CU3 Hotfix 2 and prior≤ 2021 CU3 Hotfix 2No fix yet
EcoStruxure™ Power SCADA Operation 2020 (PSO) - Advanced Reporting and Dashboards Module All VersionsAll versionsNo fix yet
Remediation & Mitigation
0/7
Schedule — requires maintenance window
0/5

Patching may require device reboot — plan for process interruption

EcoStruxure™ Power Operation (EPO) 2022 CU4 and prior
HOTFIXIf running EcoStruxure Power Operation 2022 or 2021 with Advanced Reporting module, verify and apply corresponding EcoStruxure Power Monitoring Expert updates independently
All products
HOTFIXUpdate EcoStruxure Power Monitoring Expert 2021 to CU2 or later
HOTFIXUpdate EcoStruxure Power Monitoring Expert 2022 to the latest available version
HOTFIXUpdate EcoStruxure Power Operation 2022 to CU5 or later
HOTFIXUpdate EcoStruxure Power Operation 2021 to CU3 Hotfix 3 or later
Long-term hardening
0/2
HARDENINGRestrict network access to EcoStruxure web interfaces to trusted networks and require multi-factor authentication for user login
HARDENINGImplement content security policy (CSP) headers on EcoStruxure web servers to prevent inline script execution
View full CISA ICS-CERT advisory
API: /api/v1/advisories/62293477-ff8e-47bf-b7fe-e4b0cb04bfcc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.