U.motion Servers and Touch Panels
Monitor6.3SEVD-2020-133-03May 12, 2020
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
Schneider Electric has identified multiple vulnerabilities in U.motion KNX servers and touch panel products, including authorization bypass (CWE-863) and SQL injection (CWE-89) flaws. These vulnerabilities affect the MTN6501-0001, MTN6501-0002, MTN6260-0410, MTN6260-0415, MTN6260-0310, and MTN6260-0315 product lines. An authenticated attacker could exploit these issues to access unauthorized data or modify building automation configuration. All affected products are vulnerable in versions prior to 1.4.2.
What this means
What could happen
An authenticated user could exploit authorization bypass and SQL injection vulnerabilities in U.motion servers and touch panels to read or modify sensitive configuration data and building automation settings.
Who's at risk
Building automation and KNX system operators using Schneider Electric U.motion servers and touch panels for HVAC, lighting, and facility management control. Any organization running these devices in their building management infrastructure should prioritize this update, particularly if the systems are connected to networks or internet-facing.
How it could be exploited
An attacker with valid credentials to the U.motion web interface could inject SQL commands through user input fields to access the underlying database, or bypass access controls to modify settings they should not have permission to change. This requires authentication but could allow lateral movement or escalation within the building management system.
Prerequisites
- Valid user credentials for the U.motion web interface
- Network access to the U.motion server on its management port (typically HTTP/HTTPS)
- Knowledge of vulnerable input fields or authorization paths
remotely exploitablerequires authenticationlow complexityauthorization bypass capabilitySQL injection vulnerabilityno active exploitation reported
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
MTN6501-0001 – U.Motion – KNX Server prior to 1.4.2<1.4.21.4.2
MTN6501-0002 – U.Motion – KNX Server Plus prior to 1.4.2<1.4.21.4.2
MTN6260-0410 – U.Motion KNX server Plus, Touch 10 prior to 1.4.2<1.4.21.4.2
MTN6260-0415 – U.Motion KNX server Plus, Touch 15 prior to 1.4.2<1.4.21.4.2
MTN6260-0310 – U.Motion KNX Client Touch 10 prior to 1.4.2<1.4.21.4.2
MTN6260-0315 – U.Motion KNX Client Touch 15 prior to 1.4.2<1.4.21.4.2
Remediation & Mitigation
0/7
Do now
0/2WORKAROUNDRestrict network access to U.motion management interfaces using firewall rules; limit to authorized engineering and administrative workstations
HARDENINGReview and enforce strong password policies for all U.motion user accounts; audit user access levels to apply least privilege
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
HOTFIXUpdate U.motion KNX Server (MTN6501-0001) to firmware version 1.4.2 or later
HOTFIXUpdate U.motion KNX Server Plus (MTN6501-0002) to firmware version 1.4.2 or later
HOTFIXUpdate U.motion KNX server Plus, Touch 10 (MTN6260-0410) to firmware version 1.4.2 or later
HOTFIXUpdate U.motion KNX server Plus, Touch 15 (MTN6260-0415) to firmware version 1.4.2 or later
HOTFIXUpdate U.motion KNX Client Touch 10 (MTN6260-0310) to firmware version 1.4.2 or later
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cd6fc83c-0c5d-4bb1-8a5b-978bf8ef6fb3