Schneider Electric Sage Series

Act Now9.8ICS-CERT ICSA-25-107-02Jun 11, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric SAGE RTU products contain multiple critical vulnerabilities including buffer overflow (CWE-787, CWE-120), path traversal (CWE-22), and improper access control flaws (CWE-276, CWE-252, CWE-125) that allow unauthenticated remote code execution. These RTUs are hardware devices that collect utility substation information from meters and control devices and relay it to SCADA platforms. Exploitation could result in complete compromise of the affected RTU, leading to loss of substation telemetry data, inability to issue control commands, or degradation of power distribution operations.

What this means

What could happen

An attacker with network access could exploit buffer overflow and path traversal vulnerabilities to run arbitrary code on a SAGE RTU, potentially altering power flow monitoring data, blocking SCADA communications, or disrupting substation operations.

Who's at risk

Electric utility substations and power distribution operators using Schneider Electric SAGE RTU units (models 1410, 1430, 1450, 2400, 3030 Magnum, and 4400) for telemetry and SCADA integration. Any utility collecting and transmitting substation meter data and control signals through these RTUs is at risk.

How it could be exploited

An attacker on the network sends a malformed request to the RTU that exploits a buffer overflow (CWE-787, CWE-120) or path traversal flaw (CWE-22) to write malicious code into memory or access restricted files. The RTU executes this code with the same privileges as the service, allowing the attacker to run arbitrary commands. No authentication is required for this exploit.

Prerequisites

Network access to the SAGE RTU on its control network or via exposed network interface
No valid credentials required

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (9.8)Multiple memory safety flaws (buffer overflow, path traversal)Directly affects substation operationsBuffer overflow can lead to arbitrary code execution

Exploitability

Moderate exploit probability (EPSS 1.2%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

Sage 1410≤ C3414-500-S02K5 P8C3414-500-S02K5_P9

Sage 1430≤ C3414-500-S02K5 P8C3414-500-S02K5_P9

Sage 1450≤ C3414-500-S02K5 P8C3414-500-S02K5_P9

Sage 2400≤ C3414-500-S02K5 P8C3414-500-S02K5_P9

Sage 3030 Magnum≤ C3414-500-S02K5 P8C3414-500-S02K5_P9

Sage 4400≤ C3414-500-S02K5 P8C3414-500-S02K5_P9

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGPlace SAGE RTU devices and substation networks behind firewalls and isolate from business network to restrict network access

HARDENINGPhysically secure RTU devices in locked cabinets and ensure they are never left in Program mode

HARDENINGRestrict or disable remote access; if required, use VPN with strong authentication and keep VPN software updated

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade all SAGE RTU devices (1410, 1430, 1450, 2400, 3030 Magnum, 4400) to firmware version C3414-500-S02K5_P9 or later

Long-term hardening

0/1

HARDENINGScan all removable media (USB drives, CDs) for malware before connecting to substation networks

CVEs (6)

CVE-2024-37036 CVE-2024-37037 CVE-2024-37038 CVE-2024-37039 CVE-2024-37040 CVE-2024-5560

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/87fb16b6-463a-4000-9490-d9203a921bb1