Schneider Electric EcoStruxureâ„¢
Plan Patch7.8ICS-CERT ICSA-25-079-01Feb 11, 2025
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Schneider Electric EcoStruxure Process Expert and EcoStruxure Process Expert for AVEVA System Platform contain a local privilege escalation vulnerability in their service control mechanism. An attacker with a user account on an engineering workstation can exploit improper privilege handling to escalate to administrator level, gaining full control of the machine and the ability to modify PLC programs and SCADA supervision configurations. The vulnerability is classified as a local privilege escalation (CWE-269) affecting the engineering tools used to design, maintain, and operate Modicon controller and SCADA projects.
What this means
What could happen
A local attacker with user-level credentials on an engineering workstation can escalate privileges and take full control of the machine, potentially compromising project files, controller configurations, and SCADA supervision logic for the entire process control system.
Who's at risk
Energy sector operators and engineering organizations using Schneider Electric EcoStruxure Process Expert or EcoStruxure Process Expert for AVEVA System Platform to design, commission, and operate Modicon PLC projects and SCADA supervision systems. This affects engineering teams who develop and manage control logic for process control applications.
How it could be exploited
An attacker with a valid user account on the engineering workstation exploits improper privilege handling in the EcoStruxure service control mechanism to elevate to administrator level. Once elevated, the attacker can modify process expert projects, alter PLC programs, or inject malicious logic into SCADA supervision configurations without detection.
Prerequisites
- Local access to the engineering workstation running affected EcoStruxure Process Expert version
- Valid user account credentials on the workstation
- Ability to interact with Windows service control utilities (sc.exe)
requires local access (not remotely exploitable)requires valid user credentialsaffects engineering workstations that manage PLC and SCADA configurationsno patch available for 2020_R2 and 2021 versionsno patch available for AVEVA System Platform versionscould enable unauthorized modification of control logic and process parameters
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (6)
1 with fix5 pending
ProductAffected VersionsFix Status
EcoStruxure™ Process Expert2020 R2No fix yet
EcoStruxure™ Process Expert2021No fix yet
EcoStruxure™ Process Expert 2023<4.8.0.57154.8.0.5715
EcoStruxure™ Process Expert for AVEVA System2020 R2No fix yet
EcoStruxure™ Process Expert for AVEVA System2021No fix yet
EcoStruxure™ Process Expert for AVEVA System2023No fix yet
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDFor EcoStruxure Process Expert 2020_R2 and 2021 versions (no fix available): restrict execute permissions on sc.exe (Windows service control utility) to administrator users only
WORKAROUNDFor all affected EcoStruxure Process Expert for AVEVA System Platform versions: restrict execute permissions on sc.exe to administrator users only until vendor provides a patch
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate EcoStruxure Process Expert 2023 to version 4.8.0.5715 or later
Long-term hardening
0/3HARDENINGDeploy application whitelisting (e.g., McAfee Application and Change Control) to allow execution of only approved applications on engineering workstations
HARDENINGIsolate engineering workstations from business network; never connect them to networks other than the control system network
HARDENINGImplement physical access controls and cabinet locks to prevent unauthorized use of engineering workstations
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7de929bc-2cfc-4b58-8a31-c495f1c3fac1