Multiple Schneider Electric smart building control devices using Silicon Labs EmberZNet Zigbee processors are vulnerable to denial of service attacks via malformed packets. Affected products include the Wiser Connected family (dimmers, switches, shutters, motion sensors, application modules, radiator valves, thermostats, boiler relays, heating switches, and micromodules), Iconic Connected devices, EV charging equipment (Mureva EV Link), and various cFMT modules. The vulnerability stems from insufficient packet validation in the underlying Zigbee stack. No vendor fix is available for any of the affected products. Attackers within wireless range can send crafted packets that cause devices to crash and become unavailable, requiring manual restart.
What this means
What could happen
An attacker could send specially crafted Zigbee packets to these smart building control devices, causing them to become unavailable and stopping automated lighting, heating, ventilation, or electrical distribution until they are manually rebooted.
Who's at risk
Energy utilities, water authorities, and commercial building operators using Schneider Electric Wiser smart home/building control products are affected. This includes building automation switches, dimmers, shutters, motion sensors, thermostatic radiator valves (iTRV), boiler control relays, electrical heating switches, socket outlets, and EV charging equipment. Any facility using these Zigbee-based devices for HVAC, lighting, or electrical load control is at risk.
How it could be exploited
An attacker within wireless range of the Zigbee network sends a malformed EmberZNet packet to a vulnerable device. The device fails to validate the packet properly, crashes, and stops responding to commands. No credentials or authentication are required, only proximity to the Zigbee network.
Prerequisites
Wireless proximity to the Zigbee network (typically less than 100 meters depending on obstacles)
Device must be powered on and connected to the Zigbee mesh
No credentials or authentication required
No patch available for any affected productRemotely exploitable via wireless (Zigbee)No authentication requiredLow exploit complexityAffects building automation and safety-related systems (boiler relays, heating switches)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (34)
34 pending
ProductAffected VersionsFix Status
Iconic, Connected Smart Socket All VersionsAll versionsNo fix yet
Wiser Connected Application Module 1-Gang All VersionsAll versionsNo fix yet
Wiser Connected Application Module 2-Gang All VersionsAll versionsNo fix yet
Wiser Connected Push Button Dimmer All VersionsAll versionsNo fix yet
Wiser Connected Push Button Switch All VersionsAll versionsNo fix yet
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDDisable wireless access to critical HVAC, heating, and electrical distribution devices if not operationally required
Long-term hardening
0/4
HARDENINGIsolate Zigbee control networks behind firewalls from the business network