Vijeo Designer and Vijeo Designer Basic
Monitor6.7SEVD-2020-105-03Apr 14, 2020
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary
Vijeo Designer and Vijeo Designer Basic contain a vulnerability (CWE-426) that allows local code execution. The vulnerability exists in affected versions due to improper handling of software components, potentially allowing a local user to execute arbitrary code on the engineering workstation running the software.
What this means
What could happen
An attacker with local access to an engineering workstation running Vijeo Designer could execute arbitrary code, potentially allowing modification of HMI/SCADA project files and configurations that could affect industrial control operations when deployed to field devices.
Who's at risk
Engineering teams and plant operators responsible for maintaining HMI/SCADA projects in Schneider Electric environments. Organizations using Vijeo Designer for industrial automation engineering in electric utilities, water treatment facilities, and manufacturing plants are affected. The vulnerability requires local workstation access, so the primary risk is to engineering workstations and development environments rather than remote control systems.
How it could be exploited
An attacker must first gain local access to a workstation running vulnerable Vijeo Designer software. They would then exploit the CWE-426 (untrusted search path or similar component handling) vulnerability to run arbitrary code with the privileges of the user running Vijeo Designer. The attacker could then modify project files or configurations before they are deployed to production control systems.
Prerequisites
- Local access to the engineering workstation running Vijeo Designer
- User interaction required (attacker must influence the user's actions in the design environment)
- Low privileges (attacker starts as low-privilege local user)
Local access required (lower urgency than remote exploits)User interaction requiredMedium CVSS score (6.7)Low exploit probability (0.1% EPSS)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Vijeo Designer Basic V1.1 HotFix 15 and prior≤ 1.1 HotFix 151.1 HotFix 16
Vijeo Designer V6.2 SP9 and prior≤ 6.2 SP96.2 SP10
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate Vijeo Designer Basic to version 1.1 HotFix 16 or later
HOTFIXUpdate Vijeo Designer to version 6.2 SP10 or later (released July 2020; automatically available via Schneider Electric Software Update)
Long-term hardening
0/2HARDENINGRestrict local access to engineering workstations running Vijeo Designer to authorized personnel only
HARDENINGImplement workstation access controls and monitor for unauthorized local login attempts on engineering systems
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/25eba640-1e60-43c7-a7ac-3d9d6f3ae413