Schneider Electric Altivar products ATVdPAC module ILC992 InterLink Converter (Update A)

Monitor6.1ICS-CERT ICSA-25-259-01Sep 9, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Schneider Electric Altivar drives and related products contain a Cross-Site Scripting (CXE-79) vulnerability in their web interfaces. An attacker can inject malicious JavaScript code into requests, which executes in the browser of an operator accessing the device's web interface. This could result in unauthorized viewing or modification of drive settings, theft of session credentials, or execution of commands in the operator's browser context. The vulnerability affects multiple Altivar Process Drive models (ATV6xx, ATV9xx series), ATV340E Machine Drives, ATVdPAC modules, ILC992 InterLink Converters, ATS490 Soft Starters, and Altivar Process Communication Modules. Patches are available for ATV6xx, ATV9xx, ATV340E, and ATVdPAC, but several product lines have no fix planned.

What this means

What could happen

An attacker could inject malicious code into the web interface of Schneider Electric variable frequency drives and soft starters, compromising the confidentiality and integrity of data displayed to or entered by an operator accessing the device remotely.

Who's at risk

Energy utilities operating Schneider Electric Altivar variable frequency drives (ATV series) and soft starters (ATS490) should prioritize patching. Water authorities using these drives for pump control, wastewater treatment process drives, or ATV6000 medium-voltage drives for large pump systems are affected. Facilities relying on ILC992 InterLink Converters for process integration and those using Altivar Process Communication Modules have no patch path and must rely on network controls.

How it could be exploited

An attacker crafts a malicious request containing JavaScript code and tricks an operator into clicking a link or opening a page that embeds this request (e.g., via phishing email or compromised website). When the operator's browser accesses the vulnerable device's web interface, the injected script executes in the operator's browser session, allowing the attacker to steal session tokens, modify displayed values, or perform actions on the drive.

Prerequisites

Network access to the device's web interface (typically port 80/443)
Operator must visit a crafted malicious link or page in their browser while logged into or viewing the device
No authentication required to inject the payload (reflected XSS)

Remotely exploitable via web interfaceNo authentication required for exploitationLow complexity attackAffects web-accessible operator interfacesNo patch available for ILC992, ATV6000, ATS490, and communication modules

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (24)

19 with fix5 pending

ProductAffected VersionsFix Status

ATVdPAC module<25.025.0

ATV630 Altivar Process Drives<4.54.5

ATV650 Altivar Process Drives<4.54.5

ATV660 Altivar Process Drives<4.54.5

ATV680 Altivar Process Drives<4.54.5

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDRestrict network access to the web interfaces of ILC992 InterLink Converter, ATV6000 Medium Voltage drives, ATS490 Soft Starters, and Altivar Process Communication Modules using firewall rules; limit to trusted engineering workstations or management networks only

WORKAROUNDDisable remote access to web interfaces on unpatched devices if not required for operations; configure local-only access if feasible

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

ATVdPAC module

HOTFIXUpgrade ATVdPAC module to version 25.0 or later

ATV340E Altivar Machine Drives

HOTFIXUpgrade ATV340E Altivar Machine Drives to firmware version 4.5 or later

All products

HOTFIXUpgrade ATV630/650/660/680/6A0/6B0/6L0 Altivar Process Drives to firmware version 4.5 or later

HOTFIXUpgrade ATV930/950/955/960/980/9A0/9B0/9L0/991/992/993 Altivar Process Drives to firmware version 4.5 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate variable frequency drives and soft starters from untrusted networks and from operator workstations that browse the public internet

HARDENINGUse a dedicated, isolated engineering workstation with restricted internet access for accessing device web interfaces

CVEs (1)

CVE-2025-7746

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2a8f9104-5873-4781-a0dc-a4b24a81da7a