Schneider Electric RemoteConnect and SCADAPack x70 Utilities (Update A)

MonitorCVSS 7.8ICS-CERT ICSA-25-028-06Jan 14, 2025

Schneider ElectricEnergy

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

RemoteConnect and SCADAPack x70 Utilities contain a deserialization vulnerability (CWE-502) in the project file handling code. When a user opens a project file in RemoteConnect (versions before R3.4.2) or Security Administrator (all versions), unsafe deserialization of untrusted data can occur, allowing arbitrary code execution on the workstation. This could lead to loss of confidentiality, integrity, and potential remote code execution.

What this means

What could happen

An attacker who tricks an operator into opening a malicious project file could execute code on the workstation, potentially allowing them to steal credentials, modify SCADA configuration files, or pivot into the control network.

Who's at risk

Energy sector operators and utilities using Schneider Electric RemoteConnect or SCADAPack x70 Utilities, particularly engineering staff and technicians who configure or manage SCADAPack x70 remote telemetry and SCADA devices. Security Administrator is used by all versions and has no patch available.

How it could be exploited

An attacker crafts a malicious RemoteConnect project file containing serialized code. When a user opens the file in the vulnerable software, unsafe deserialization executes the attacker's code on that workstation with the user's privileges. The workstation is typically used to manage SCADAPack x70 devices, so code execution here enables access to SCADA configuration and credentials.

Prerequisites

User must open a malicious project file in RemoteConnect or Security Administrator software
File must be received by or delivered to a user in the organization
User must have RemoteConnect or Security Administrator installed (vulnerable versions for RemoteConnect < R3.4.2, all versions for Security Administrator)

No patch available for Security AdministratorUser interaction required (file opening)Low exploitation complexityHigh CVSS score (7.8)Affects SCADA configuration software with credentials and system access

Exploitability

Some exploitation risk — EPSS score 1.0%

Affected products (2)

2 pending

ProductAffected VersionsFix Status

RemoteConnect and SCADAPack™ x70 Utilities - RemoteConnect< R3.4.2No fix yet

RemoteConnect and SCADAPack™ x70 Utilities - Security Administrator All VersionsAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDOnly open RemoteConnect project files received from trusted internal sources; verify the sender before opening any project file

WORKAROUNDCompute and store MD5 or SHA-256 hashes of all project files in active use; regularly re-hash these files to detect tampering

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RemoteConnect to version R3.4.2 or later

HARDENINGEncrypt all RemoteConnect project files at rest and restrict file access to authorized personnel only

HARDENINGWhen transferring project files over the network, use encrypted protocols (SFTP, HTTPS, VPN) instead of unencrypted methods

CVEs (1)

CVE-2024-12703

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ee020967-fde2-4731-93d3-569ed310b045

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.