Schneider Electric EcoStruxure (Update C)

Plan Patch7.8ICS-CERT ICSA-25-037-02Feb 6, 2025

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A local privilege escalation vulnerability exists in multiple EcoStruxure products due to insecure DLL loading or file handling. An attacker with a local user account on an engineering workstation can exploit this flaw to execute code with elevated privileges and inject malicious DLLs into the EcoStruxure application process. This could allow modification of automation logic, control setpoints, or system configurations before deployment. Affected products include EcoStruxure Control Expert, Process Expert, Machine Expert, OPC UA Server Expert, Architecture Builder, Operator Terminal Expert, Pro-face BLUE, Vijeo Designer, Zelio Soft 2, and related Asset Link tools.

What this means

What could happen

An attacker with local access to an engineering workstation running affected EcoStruxure software can escalate privileges and inject malicious code, potentially allowing them to modify process logic, alter setpoints, or compromise the integrity of control system designs before they are deployed to field devices.

Who's at risk

Engineering staff and system integrators using Schneider Electric EcoStruxure software suite for control and process automation design. This includes operators of water treatment systems, power distribution networks, manufacturing facilities, and other industrial processes that rely on EcoStruxure for programming and configuration of PLCs, HMI terminals, and SCADA systems. Affected products span multiple Schneider platforms including Control Expert, Process Expert, Machine Expert, and OPC UA servers used across energy, water, and manufacturing sectors.

How it could be exploited

An attacker with a local user account on an engineering workstation can exploit an insecure DLL loading or privilege escalation flaw to execute code with elevated privileges. Once elevated, they can load a malicious DLL into the EcoStruxure process, modifying control logic, automation sequences, or configuration data without requiring physical access to PLCs or field equipment.

Prerequisites

Local user account access to engineering workstation running affected EcoStruxure software
Low privilege user account (non-administrator)
Ability to write files to a directory in the DLL search path or exploit application configuration

Affects engineering workstations with code deployment capabilityLocal privilege escalation required but can be exploited by standard user accountsLow CVSS complexity (AC:L) makes exploitation straightforwardNo patches available for 12 of 13 affected productsCould compromise control system designs before deployment to field devices

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (13)

6 with fix7 EOL

ProductAffected VersionsFix Status

EcoStruxure Control Expert: <V16.2<V16.2V16.2

EcoStruxure Control Expert Asset Link: <V4.0_SP1<V4.0 SP1V16.2

EcoStruxure Process Expert: <2023_V4.8.0.5715<2023 V4.8.0.57152023 v4.8.0.5715

EcoStruxure Process Expert for AVEVA System Platform: vers:all/*All versions2023 v4.8.0.5715

EcoStruxure OPC UA Server Expert: <SV2.01_SP3<SV2.01 SP3No fix (EOL)

EcoStruxure Machine SCADA Expert Asset Link: vers:all/*All versionsNo fix (EOL)

EcoStruxure Architecture Builder: <V7.0.18<V7.0.18V7.0.18

EcoStruxure Operator Terminal Expert: <V4.0<V4.0No fix (EOL)

Remediation & Mitigation

0/8

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure Control Expert to version V16.2 or later and reboot the system after installation

HOTFIXUpdate EcoStruxure Architecture Builder to version V7.0.18 or later

HOTFIXUpdate EcoStruxure Control Expert Asset Link to version V4.0 SP1 or later

HOTFIXUpdate Vijeo Designer to version V6.3 SP1 HF1 or later (contact Schneider Electric Customer Support for access)

HOTFIXUpdate EcoStruxure Process Expert to version 2023 v4.8.0.5715 or later, uninstalling the previous version first

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: EcoStruxure OPC UA Server Expert: <SV2.01_SP3, EcoStruxure Machine SCADA Expert Asset Link: vers:all/*, EcoStruxure Operator Terminal Expert: <V4.0, Pro-face BLUE: <V4.0, EcoStruxure Machine Expert including EcoStruxure Machine Expert Safety: vers:all/*, EcoStruxure Machine Expert Twin: vers:all/*, Zelio Soft 2: <V5.4.3. Apply the following compensating controls:

HARDENINGRestrict local user access to engineering workstations; only authorize personnel who need direct workstation access to perform engineering tasks

HARDENINGImplement file integrity monitoring on engineering workstations to detect unauthorized DLL modifications in application directories

HARDENINGIsolate engineering workstations on a separate network segment with restricted access to production control systems

CVEs (1)

CVE-2024-2658

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1010ef5e-323a-4dee-a41f-db100cfd1627