Schneider Electric EcoStruxure (Update C)

Plan PatchCVSS 7.8ICS-CERT ICSA-25-037-02Jan 14, 2025

Schneider ElectricEnergy

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A local privilege escalation vulnerability in Schneider Electric EcoStruxure software (CWE-427: Uncontrolled Search Path Element) allows an attacker with local system access to execute arbitrary code with elevated privileges. This affects multiple EcoStruxure engineering and SCADA design tools including Process Expert, Control Expert, Machine Expert, OPC UA Server Expert, Architecture Builder, Vijeo Designer, and Zelio Soft 2. Successful exploitation could enable modification of process control logic, alteration of equipment parameters, or system shutdown. Several product variants have no patched versions available from the vendor.

What this means

What could happen

An attacker with local access to an engineering workstation running EcoStruxure software could escalate privileges and execute arbitrary code (malicious DLL), potentially allowing unauthorized modification of control logic, process parameters, or operational shutdown of industrial equipment.

Who's at risk

Energy sector operators and manufacturers using Schneider Electric EcoStruxure engineering and SCADA software suites should prioritize this. Affected products include EcoStruxure Process Expert, Control Expert, OPC UA Server Expert, Machine Expert, Vijeo Designer, Architecture Builder, and Zelio Soft 2. This impacts anyone deploying these tools on Windows engineering workstations, operator terminals, or automation servers.

How it could be exploited

An attacker with local access to a Windows machine running vulnerable EcoStruxure software exploits an unspecified privilege escalation vulnerability (CWE-427: Uncontrolled Search Path Element) to execute arbitrary DLL files with elevated privileges. This requires local code execution capability but no special credentials or authentication.

Prerequisites

Local access to a Windows computer running vulnerable EcoStruxure software
Ability to write files to a location in the DLL search path
No special credentials or authentication required

Low complexity exploitationLocal access required (limits remote risk but high risk in facilities with shared engineering networks)Affects control software (process design and asset management)No patch available for several product variants (EcoStruxure OPC UA Server Expert, Machine SCADA Expert Asset Link, Operator Terminal Expert, Machine Expert, Machine Expert Twin, Zelio Soft 2)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (28)

20 with fix8 EOL

ProductAffected VersionsFix Status

EcoStruxure™ Process Expert<20232023 (v4.8.0.5715)

EcoStruxure™ Process Expert for AVEVA System Platform All versionsAll versions2023 (v4.8.0.5715)

EcoStruxure™ Control Expert<16.216.2

EcoStruxure™ OPC UA Server Expert<SV2.01SP3SV2.01SP3

EcoStruxure™ Control Expert Asset Link<4.0 SP14.0SP1

Remediation & Mitigation

0/7

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

Vijeo Designer

HOTFIXUpdate Vijeo Designer to version V6.3 SP1 HF1 or later (contact Schneider Electric support)

All products

HOTFIXUpdate EcoStruxure Control Expert to version V16.2 or later and reboot the computer after installation

HOTFIXUpdate EcoStruxure Architecture Builder to version V7.0.18 or later

HOTFIXUpdate EcoStruxure Control Expert Asset Link to version V4.0 SP1 or later

HOTFIXUpdate EcoStruxure Process Expert to version 2023 (v4.8.0.5715) or later; uninstall the previous 2023 version before installing the fixed version

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: EcoStruxure™ Machine SCADA Expert Asset Link All versions, EcoStruxure OPC UA Server Expert: <SV2.01_SP3, EcoStruxure Machine SCADA Expert Asset Link: vers:all/*, EcoStruxure Operator Terminal Expert: <V4.0, Pro-face BLUE: <V4.0, EcoStruxure Machine Expert including EcoStruxure Machine Expert Safety: vers:all/*, EcoStruxure Machine Expert Twin: vers:all/*, Zelio Soft 2: <V5.4.3. Apply the following compensating controls:

HARDENINGRestrict local access to engineering workstations to authorized personnel only; implement physical security and access controls

HARDENINGMonitor engineering workstations for unauthorized DLL loading and privilege escalation attempts using endpoint detection tools

CVEs (1)

CVE-2024-2658

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1010ef5e-323a-4dee-a41f-db100cfd1627

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.