OTPulse

Schneider Electric Altivar products ATVdPAC module ILC992 InterLink Converter (Update A)

MonitorCVSS 6.1ICS-CERT ICSA-25-259-01Sep 9, 2025
Schneider ElectricEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Schneider Electric Altivar Process Drives, Altivar Machine Drives, and related modules contain a Cross-Site Scripting (CWE-79) vulnerability. Affected products include ATVdPAC module, ATV600-series (ATV630/650/660/680/6A0/6B0/6L0), ATV900-series (ATV930/950/955/960/980/9A0/9B0/9L0/991/992/993), ATV340E Altivar Machine Drives, ATV6000 Medium Voltage drives, ATS490 Altivar Soft Starter, ILC992 InterLink Converter, and Altivar Process Communication Modules. The vulnerability allows injection of malicious scripts that could result in partial loss of confidentiality and integrity when accessed through a web browser interface.

What this means
What could happen
An attacker could inject malicious scripts through the web interface of affected drives. If an operator accesses a compromised interface, the attacker could steal credentials, modify settings, or perform actions on behalf of the operator, potentially altering drive configurations and process parameters.
Who's at risk
Energy utilities and industrial plants using Schneider Electric Altivar Process Drives (ATV600 and ATV900 series), Altivar Machine Drives (ATV340E), Altivar Soft Starters (ATS490), ATVdPAC control modules, ATV6000 medium-voltage drives, ILC992 converters, and Process Communication Modules. Anyone who operates or configures these drives through a web browser interface is at risk.
How it could be exploited
An attacker crafts a malicious URL or web request containing script code and tricks an operator into clicking it or accessing a compromised web interface. When the operator's browser processes the request, the injected script executes with the operator's privileges, allowing credential theft or unauthorized configuration changes to the drive.
Prerequisites
  • Operator or engineer must access the drive's web-based management interface through a browser
  • Attacker must be able to inject malicious input into a web parameter (via phishing, network interception, or compromised interface)
remotely exploitablelow complexityrequires user interaction (operator must click malicious link or access compromised interface)affects safety-critical infrastructuremultiple products without fixes available
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (25)
20 with fix5 pending
ProductAffected VersionsFix Status
ATVdPAC module<25.025.0
ATV630 Altivar Process Drives<4.54.5
ATV650 Altivar Process Drives<4.54.5
ATV660 Altivar Process Drives<4.54.5
ATV680 Altivar Process Drives<4.54.5
Remediation & Mitigation
0/7
Do now
0/2
HARDENINGRestrict web-based access to affected drives to trusted engineering workstations only using network firewall rules or access control lists
WORKAROUNDDisable web-based management interfaces on affected drives if not actively used; manage drives only through secure, isolated engineering networks
Schedule — requires maintenance window
0/5

Patching may require device reboot — plan for process interruption

ATVdPAC module
HOTFIXUpdate ATVdPAC module to version 25.0 or later
ATV340E Altivar Machine Drives
HOTFIXUpdate ATV340E Altivar Machine Drives to firmware version 4.5 or later
All products
HOTFIXUpdate ATV630, ATV650, ATV660, ATV680, ATV6A0, ATV6B0, ATV6L0 drives to firmware version 4.5 or later
HOTFIXUpdate ATV930, ATV950, ATV955, ATV960, ATV980, ATV9A0, ATV9B0, ATV9L0, ATV991, ATV992, ATV993 drives to firmware version 4.5 or later
HOTFIXUpdate ATS490 Altivar Soft Starter to version 1.2ie05 or later
View full CISA ICS-CERT advisory
API: /api/v1/advisories/2a8f9104-5873-4781-a0dc-a4b24a81da7a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.