Schneider Electric Power Logic

Plan PatchCVSS 8.8ICS-CERT ICSA-25-028-02Jan 14, 2025

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Power Logic HDPM6000 firmware versions 0.62.7 and earlier contain two vulnerabilities (CVE-2024-10497, CVE-2024-10498) affecting the web interface and Modbus protocol functionality. CVE-2024-10497 affects only version 0.62.7; CVE-2024-10498 affects version 0.62.7 and all prior versions. Successful exploitation could allow an attacker to modify data or cause denial-of-service conditions on the device. The issues stem from improper access control (CWE-639) and buffer handling (CWE-119).

What this means

What could happen

An attacker with access to the network could modify data in the Power Logic device or disrupt its web interface and Modbus communication, potentially affecting energy monitoring, reporting, and operational visibility in your facility.

Who's at risk

Power system operators and plant engineers using Schneider Electric Power Logic HDPM6000 devices for energy monitoring and data collection should apply this update immediately. Any facility relying on these devices for operational data visibility and compliance reporting is affected.

How it could be exploited

An attacker on your network with user-level credentials can send crafted requests to the HDPM6000 web interface or Modbus protocol port to modify device data or trigger denial-of-service conditions that interrupt monitoring and communication.

Prerequisites

Network access to the HDPM6000 device on ports 80/443 (HTTP/HTTPS) or port 502 (Modbus)
Valid user account credentials for the Power Logic web interface

remotely exploitablerequires user-level credentialsaffects energy infrastructuretwo vulnerabilities in same productlow complexity attack

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

2 with fix2 pending

ProductAffected VersionsFix Status

Power Logic HDPM6000v0.62.7>=0.62.11

Power Logic HDPM6000≤ 0.62.7>=0.62.11

Schneider Electric Power Logic: v0.62.7v0.62.7No fix yet

Schneider Electric Power Logic: <=v0.62.7≤ v0.62.7No fix yet

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to HDPM6000 HTTPS port (443) to only local network segments using firewall rules; block external access

WORKAROUNDRestrict network access to HDPM6000 Modbus port (502) to only authorized equipment on local network segments using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate HDPM6000 firmware to version 0.62.11 or later through the web user interface (device will restart automatically) or using HDPM6000 Manager software (manual restart required)

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate Power Logic devices from untrusted networks and restrict access to authorized users only

CVEs (2)

CVE-2024-10497 CVE-2024-10498

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3495dbe0-5499-40d8-919e-050f376f622e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.