Easergy Builder

Plan PatchCVSS 8.4SEVD-2020-161-05Jun 9, 2020

Schneider ElectricEnergy

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities affecting Easergy Builder configuration tool related to cryptographic weaknesses (CWE-327), hardcoded credentials (CWE-798), improper data protection (CWE-312), insufficient input validation (CWE-20), and weak credential storage (CWE-521). These vulnerabilities allow attackers with network access to compromise the configuration tool and potentially modify electrical equipment settings or extract sensitive configuration data. Schneider Electric has released a fix in version 1.6.3.0.

What this means

What could happen

An attacker with access to your engineering workstation or network could exploit multiple cryptographic and credential handling flaws in Easergy Builder to compromise the configuration tool, potentially allowing unauthorized modification of electrical equipment settings or extraction of sensitive configuration data.

Who's at risk

This affects energy sector operations that use Easergy Builder for configuration and management of electrical equipment. This includes utilities managing substations, distribution networks, and protection relays that depend on Easergy Builder for device configuration. Your IT and field engineering teams who use this tool to configure electrical equipment are directly affected.

How it could be exploited

An attacker on the same network as your engineering workstation running Easergy Builder could exploit weak cryptographic implementations (CWE-327), hardcoded credentials (CWE-798), or improper input validation (CWE-20) to gain control of the configuration tool. Once compromised, the attacker could modify device configurations, extract stored credentials, or alter electrical equipment settings without authentication.

Prerequisites

Network access to the engineering workstation running Easergy Builder
Easergy Builder version 1.4.7.2 or earlier installed and in use
Access to configuration files or network traffic containing configuration data

Weak cryptographic implementationHardcoded credentials in softwareWeak credential storage (plaintext or insufficient protection)Insufficient input validationRequires network access to engineering workstation

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Easergy Builder≤ 1.4.7.21.6.3.0

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGVerify that all firmware and software updates for Easergy Builder are obtained directly from Schneider Electric's Customer Care Center or official sources only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Easergy Builder to version 1.6.3.0 or later immediately

WORKAROUNDReview and rotate any credentials that may have been stored or transmitted by Easergy Builder, particularly for electrical equipment management systems

Long-term hardening

0/1

HARDENINGIsolate engineering workstations running Easergy Builder on a dedicated, air-gapped network segment or jump host with restricted access

CVEs (6)

CVE-2020-7514 CVE-2020-7515 CVE-2020-7516 CVE-2020-7517 CVE-2020-7518 CVE-2020-7519

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5ab32e4e-7c18-4e2b-8d8f-f878dd474e07

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.