OTPulse
FeedAboutContact

IGSS (Interactive Graphical SCADA System)

Plan Patch7.8SEVD-2020-070-01Mar 10, 2020
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Schneider Electric has identified multiple vulnerabilities in IGSS that allow local, authenticated users to exploit path traversal and improper access control in the IGSSupdate service. An attacker with local access and valid credentials could read sensitive files or execute commands on the system. IGSS version 14 and earlier are affected.

What this means
What could happen
An authenticated local attacker could exploit path traversal and improper access control vulnerabilities in the IGSSupdate service to read arbitrary files or execute commands on the SCADA system, potentially altering process parameters or disrupting production operations.
Who's at risk
This affects energy sector operators and any facility running IGSS (Interactive Graphical SCADA System) for process monitoring and control. IGSS is commonly used in power generation, distribution, and manufacturing environments to manage critical process operations. Organizations using IGSS version 14 or earlier with the IGSSupdate service active are at risk.
How it could be exploited
An attacker with local access to a machine running IGSS could interact with the IGSSupdate service. By crafting malicious requests that exploit path traversal (CWE-22) and missing access controls (CWE-306), the attacker could access files outside the intended directory structure or bypass authentication checks to execute arbitrary operations on the SCADA system.
Prerequisites
  • Local access to the IGSS server or workstation
  • At least one valid local user account on the system running IGSSupdate
  • IGSS version 14 or earlier
Local access required (not remotely exploitable)Authentication requiredAffects SCADA systems which control physical operationsPath traversal and access control defects
Exploitability
Moderate exploit probability (EPSS 1.8%)
Affected products (1)
ProductAffected VersionsFix Status
IGSS using the service: IGSSupdate≤ 1414.0.0.20009
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate IGSS to version 14.0.0.20009 or later
HOTFIXFor IGSS version 13 and earlier, upgrade to IGSS version 14.0.0.20009 or later
Long-term hardening
0/2
HARDENINGRestrict local access to the IGSS server; limit user accounts and enforce strong authentication policies
HARDENINGImplement network segmentation to isolate IGSS systems from untrusted networks and general IT infrastructure
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/1ff58454-f74f-4d3b-bd4b-c8956c752289
IGSS (Interactive Graphical SCADA System) | CVSS 7.8 - OTPulse