Vijeo Designer and Vijeo Designer Basic Software
Plan Patch8.6SEVD-2020-133-02May 12, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Schneider Electric Vijeo Designer Basic and Vijeo Designer software products contain hardcoded credentials (CWE-798) that allow unauthenticated attackers to gain unauthorized access to engineering workstations. Affected versions: Vijeo Designer Basic V1.1 HotFix 16 and earlier, Vijeo Designer V6.2 SP9 and earlier. An attacker with network access could leverage these credentials to modify HMI/SCADA project configurations or inject malicious code into control system deployments.
What this means
What could happen
An attacker could exploit hardcoded credentials in Vijeo Designer to gain unauthorized access to engineering workstations, potentially allowing modification of HMI/SCADA configurations or deployment of malicious code to connected industrial devices.
Who's at risk
Operators and maintenance staff at water authorities and electric utilities who use Vijeo Designer or Vijeo Designer Basic to create, edit, or deploy HMI/SCADA applications. Engineering workstations running these tools that have network connectivity are at risk, especially if accessible from untrusted networks.
How it could be exploited
An attacker with network access to a Vijeo Designer workstation could use hardcoded credentials (CWE-798) to authenticate to the software. Once authenticated, they could modify project configurations, alter setpoints, or inject code that would be deployed to connected PLCs, RTUs, or other control devices when projects are published.
Prerequisites
- Network access to the Vijeo Designer workstation or engineering computer
- Knowledge of the hardcoded credentials embedded in the software
- Access to a project file or active connection to a control device
Remotely exploitableNo authentication required (hardcoded credentials)Low complexity attackAffects engineering and control system configurationDefault/hardcoded credentials present
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Vijeo Designer Basic V1.1 HotFix 16 and prior≤ 1.1 HotFix 161.1 HotFix 17
Vijeo Designer V6.2 SP9 and prior≤ 6.2 SP96.2 SP10
Remediation & Mitigation
0/5
Do now
0/2HARDENINGIsolate engineering workstations running Vijeo Designer on a protected network segment with restricted access
HARDENINGImplement firewall rules to restrict network access to Vijeo Designer workstations to authorized personnel only
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpgrade Vijeo Designer Basic to version 1.1 HotFix 17 or later
HOTFIXUpgrade Vijeo Designer to version 6.2 SP10 or later (released July 2020)
Long-term hardening
0/1HARDENINGMonitor and log all connections to Vijeo Designer workstations for suspicious activity
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cfa28ae3-5fb3-4514-b65a-5da39f0b7a65