U.motion Servers and Touch Panels

MonitorCVSS 6.3SEVD-2020-133-03May 12, 2020

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Schneider Electric has identified multiple vulnerabilities in U.motion KNX servers and touch panel products, including authorization bypass (CWE-863) and SQL injection (CWE-89) flaws. These vulnerabilities affect the MTN6501-0001, MTN6501-0002, MTN6260-0410, MTN6260-0415, MTN6260-0310, and MTN6260-0315 product lines. An authenticated attacker could exploit these issues to access unauthorized data or modify building automation configuration. All affected products are vulnerable in versions prior to 1.4.2.

What this means

What could happen

An authenticated user could exploit authorization bypass and SQL injection vulnerabilities in U.motion servers and touch panels to read or modify sensitive configuration data and building automation settings.

Who's at risk

Building automation and KNX system operators using Schneider Electric U.motion servers and touch panels for HVAC, lighting, and facility management control. Any organization running these devices in their building management infrastructure should prioritize this update, particularly if the systems are connected to networks or internet-facing.

How it could be exploited

An attacker with valid credentials to the U.motion web interface could inject SQL commands through user input fields to access the underlying database, or bypass access controls to modify settings they should not have permission to change. This requires authentication but could allow lateral movement or escalation within the building management system.

Prerequisites

Valid user credentials for the U.motion web interface
Network access to the U.motion server on its management port (typically HTTP/HTTPS)
Knowledge of vulnerable input fields or authorization paths

remotely exploitablerequires authenticationlow complexityauthorization bypass capabilitySQL injection vulnerabilityno active exploitation reported

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

MTN6501-0001 – U.Motion – KNX Server prior to 1.4.2<1.4.21.4.2

MTN6501-0002 – U.Motion – KNX Server Plus prior to 1.4.2<1.4.21.4.2

MTN6260-0410 – U.Motion KNX server Plus, Touch 10 prior to 1.4.2<1.4.21.4.2

MTN6260-0415 – U.Motion KNX server Plus, Touch 15 prior to 1.4.2<1.4.21.4.2

MTN6260-0310 – U.Motion KNX Client Touch 10 prior to 1.4.2<1.4.21.4.2

MTN6260-0315 – U.Motion KNX Client Touch 15 prior to 1.4.2<1.4.21.4.2

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDRestrict network access to U.motion management interfaces using firewall rules; limit to authorized engineering and administrative workstations

HARDENINGReview and enforce strong password policies for all U.motion user accounts; audit user access levels to apply least privilege

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate U.motion KNX Server (MTN6501-0001) to firmware version 1.4.2 or later

HOTFIXUpdate U.motion KNX Server Plus (MTN6501-0002) to firmware version 1.4.2 or later

HOTFIXUpdate U.motion KNX server Plus, Touch 10 (MTN6260-0410) to firmware version 1.4.2 or later

HOTFIXUpdate U.motion KNX server Plus, Touch 15 (MTN6260-0415) to firmware version 1.4.2 or later

HOTFIXUpdate U.motion KNX Client Touch 10 (MTN6260-0310) to firmware version 1.4.2 or later

CVEs (2)

CVE-2020-7499 CVE-2020-7500

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cd6fc83c-0c5d-4bb1-8a5b-978bf8ef6fb3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.