Security Notification - U.motion Builder software

Act Now8.8SEVD-2018-095-01Apr 5, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Schneider Electric has confirmed active exploitation of a vulnerability in U.motion Builder software affecting all versions prior to 1.3.4. The vulnerability allows remote code execution without authentication or user interaction complexity. No patch is available, and Schneider Electric recommends immediate removal of the software from all systems. The vendor emphasizes network isolation, physical access controls, and secure remote access practices as critical mitigations.

What this means

What could happen

An attacker can execute arbitrary code on systems running U.motion Builder software, potentially gaining full control of engineering workstations and access to process automation and control systems. Since this vulnerability is actively exploited with no patch available, all instances present an immediate operational risk.

Who's at risk

This affects any organization using Schneider Electric's U.motion Builder software for control system configuration and engineering, including energy utilities, water authorities, and manufacturing plants that rely on Schneider automation systems. Engineers and control system operators who use this software are at direct risk.

How it could be exploited

An attacker can exploit this vulnerability remotely over a network without credentials. A user only needs to interact with a malicious file or resource (e.g., open a crafted project file, visit a compromised website). The attacker gains the ability to execute code with the privileges of the U.motion Builder application, potentially allowing lateral movement to connected control systems or engineering networks.

Prerequisites

Network access to a system running U.motion Builder software
User interaction required (opening a file or clicking a link)
No authentication required
Vulnerability affects all versions before 1.3.4

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)EPSS 94.2% (very high probability of exploitation)no patch availableaffects control system engineering software

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

U.motion Builder Software all<1.3.4No fix (EOL)

Remediation & Mitigation

0/8

Do now

0/6

HOTFIXImmediately cease using U.motion Builder software and remove it from all systems

HARDENINGIsolate control and safety system networks from business networks using firewalls and network segmentation

HARDENINGRestrict physical access to controllers and keep them in locked cabinets, never in 'Program' mode

HARDENINGNever connect U.motion Builder or other engineering software to any network other than the isolated control system network

HARDENINGScan all removable media (USB drives, CDs) for malware before use on control system networks

HARDENINGProhibit personal mobile devices from connecting to control or safety networks unless they have been properly sanitized

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement secure remote access using VPNs with current security patches if remote engineering access is required

Mitigations - no patch available

0/1

U.motion Builder Software all has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMinimize network exposure for all control system devices; ensure they are not accessible from the Internet

CVEs (14)

CVE-2018-7763 CVE-2018-7764 CVE-2018-7765 CVE-2018-7766 CVE-2018-7767 CVE-2018-7768 CVE-2018-7769 CVE-2018-7770 CVE-2018-7771 CVE-2018-7772 CVE-2018-7773 CVE-2018-7776 CVE-2018-7777 CVE-2017-7494

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/abe46220-3cee-4ce4-bc57-858a100ca29b