Schneider Electric Easergy Studio

Plan PatchCVSS 7.8ICS-CERT ICSA-25-023-04Oct 8, 2024

Schneider ElectricEnergy

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Easergy Studio contains an insecure installation directory permissions vulnerability that could allow a local user with low privileges to escalate access and modify the configuration installation directory. Exploitation requires local file system access to the Easergy Studio workstation. The vulnerability is not remotely exploitable. Easergy Studio is a software solution for configuring, monitoring, and managing control devices across energy networks. Unauthorized access to the installation directory could allow modification of device configurations, potentially affecting control and safety system operations. The vulnerability was fixed in version 9.3.4, released in December 2022.

What this means

What could happen

An attacker with local file system access to a computer running Easergy Studio could exploit an insecure installation directory to escalate privileges and potentially compromise the configuration of critical control devices across your electrical or energy distribution network.

Who's at risk

Energy utilities and operators managing electrical distribution or control systems that use Schneider Electric Easergy Studio for device configuration and management. This affects engineering workstations and the control device configurations they manage, not the devices themselves.

How it could be exploited

An attacker with local access to the Easergy Studio installation directory can exploit an insecure permission or file ownership vulnerability to elevate their privileges. Once elevated, they could modify device configurations, potentially altering control setpoints or disabling safety interlocks on networked control devices.

Prerequisites

Local file system access to the computer where Easergy Studio is installed
Low-level user account on the same system
Easergy Studio version 9.3.1 or earlier

Requires local file system accessPrivilege escalation capabilityAffects safety-related device configurationsLow EPSS score but high CVSS

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Easergy Studio≤ 9.3.19.3.4

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict physical and logical access to computers running Easergy Studio to authorized engineering personnel only

HARDENINGDo not allow engineering workstations running Easergy Studio to be connected to untrusted networks or the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Easergy Studio to version 9.3.4 or later

Long-term hardening

0/1

HARDENINGNever run Easergy Studio on shared workstations or systems accessible to general IT staff

CVEs (1)

CVE-2024-9002

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c7fa1a31-0e83-41c4-9658-6a2365bf4c5a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.