Andover Continuum System

Plan Patch8.8SEVD-2020-070-04Mar 10, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Schneider Electric has identified multiple vulnerabilities in Andover Continuum (all versions). The product allows users to view and control Continuum system functions through a web interface. The vulnerabilities include code injection (CWE-94) and cross-site scripting (CWE-79) flaws that could allow remote attackers to execute arbitrary code or steal sensitive information. No security patch is available from the vendor.

What this means

What could happen

An attacker with network access to Andover Continuum could execute arbitrary code or steal sensitive data through cross-site scripting, potentially allowing unauthorized control of building automation, HVAC, lighting, or other facility systems.

Who's at risk

This affects organizations running Andover Continuum for building automation and facility management, particularly energy sector operators using Continuum to monitor and control HVAC systems, power distribution, lighting, and other critical building infrastructure. Any facility dependent on Continuum for operational visibility or control is at risk.

How it could be exploited

An attacker sends a specially crafted request containing malicious code to the Continuum web interface. If a user clicks a link or visits a malicious page, the code executes in their browser with access to the Continuum system, allowing the attacker to view system state, modify setpoints, or inject commands into the control network.

Prerequisites

Network access to the Andover Continuum web interface (TCP port typically 80/443)
User interaction required: an authenticated user must visit a malicious link or page
No special credentials needed if the interface is unauthenticated or uses default credentials

Remotely exploitableLow complexity attackNo patch availableUser interaction required (reduces immediate risk but not when phishing is involved)

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (1)

ProductAffected VersionsFix Status

Andover Continuum All Versionsvers.all/*No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDRestrict network access to Continuum administrative interfaces to authorized engineering stations only using firewall rules

WORKAROUNDDisable or restrict browser scripting features on Continuum interfaces if the functionality allows

HARDENINGReview and change any default credentials on Continuum user accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement physical access controls: lock all controllers in cabinets and disable Program mode on unattended systems

Mitigations - no patch available

0/2

Andover Continuum All Versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate Andover Continuum system network behind a firewall from the business network

HARDENINGIf remote access is required, use a VPN with current security patches rather than exposing the interface to the internet

CVEs (2)

CVE-2020-7480 CVE-2020-7481

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/15457afa-18fb-4d09-a0df-71d3c593075b