Schneider Electric Wiser Home Controller WHC-5918A

Act Now9.8ICS-CERT ICSA-25-112-03Jul 9, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Wiser Home Controller WHC-5918A contains a vulnerability that could result in credential theft and device compromise. The product is a C-Bus based home automation controller that was discontinued December 31, 2015. All versions are affected.

What this means

What could happen

An attacker who obtains credentials for the WHC-5918A could gain unauthorized access and compromise the home automation controller, potentially disrupting lighting, HVAC, or other automated building systems.

Who's at risk

Building automation and facility managers responsible for Schneider Electric Wiser Home Controller WHC-5918A installations, particularly those in energy sector facilities with legacy home automation systems.

How it could be exploited

An attacker could exploit the vulnerability to steal credentials from the WHC-5918A. With those credentials, the attacker could gain unauthorized access to the controller and potentially alter its configuration or commands, disrupting home automation functions.

Prerequisites

Network access to the Wiser Home Controller
Ability to trigger or access the credential exposure vulnerability

No patch available (end-of-life product)Critical severityHigh CVSS score (9.8)Credential theft possibleLow EPSS score suggests exploit is not widely available yet

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Wiser Home Controller WHC-5918A All VersionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/4

HARDENINGIsolate the Wiser Home Controller and C-Bus control network behind a firewall, separating it from business networks and the Internet

HARDENINGRestrict network access to the controller—do not expose it to the Internet; use secure remote access methods like VPN only if remote access is required

HARDENINGImplement physical access controls: keep the controller in a locked cabinet and ensure it is never left in 'Program' mode

HARDENINGEnsure programming software for the controller is never connected to any network other than the dedicated control network

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGScan all removable media (USB drives, CDs) before connecting them to the control network to prevent malware introduction

HARDENINGProhibit mobile devices that have connected to other networks from accessing the control network without proper security checks

Mitigations - no patch available

0/1

Wiser Home Controller WHC-5918A All Versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGEvaluate end-of-life status and plan for replacement of the WHC-5918A with a supported, current-generation Schneider Electric home automation controller

CVEs (1)

CVE-2024-6407

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ad3fafa0-c2cd-4ae0-8b98-0baebe50e339