OTPulse
FeedAboutContact

Schneider Electric Software Update (SESU)

Plan Patch7.9SEVD-2020-196-01Jul 14, 2020
Attack VectorNetwork
Auth RequiredHigh
ComplexityHigh
User InteractionNone needed
Summary

A redirect vulnerability exists in Schneider Electric Software Update (SESU) version 2.4.0 and prior. An attacker with administrative access could exploit this vulnerability to redirect the software update mechanism, potentially allowing injection of malicious code or firmware into connected industrial devices.

What this means
What could happen
An attacker with administrative credentials on an engineering workstation could exploit a redirect vulnerability in SESU to conduct phishing attacks or inject malicious code during software update operations, potentially compromising the integrity of firmware deployed to operational devices.
Who's at risk
Electric utilities and energy infrastructure operators using Schneider Electric SESU for firmware and software distribution should prioritize this update. SESU is typically run on engineering workstations that manage PLCs, intelligent electronic devices (IEDs), and other field equipment. A compromise of the update process could affect the integrity of all connected devices.
How it could be exploited
An attacker with high-privilege access to SESU could manipulate the update process through a redirect vulnerability (CWE-601) to direct the software update mechanism to malicious sources, allowing injection of compromised firmware or code into connected industrial devices.
Prerequisites
  • High-privilege (administrative) access to the engineering workstation running SESU
  • SESU version 2.4.0 or earlier
  • Access to the network where SESU communicates with download/update servers
Redirect/open redirect vulnerability (CWE-601)Requires high-privilege credentialsAffects software/firmware update supply chainHigh CVSS score (7.9)Impacts confidentiality, integrity, and availability
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
Schneider Electric Software Update (SESU) V2.4.0 and prior≤ 2.4.02.5.0
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SESU from version 2.4.0 or earlier to version 2.5.0 or later
Long-term hardening
0/2
HARDENINGReview SESU access controls and restrict administrative console access to authorized engineering personnel only
HARDENINGVerify the integrity of all firmware deployed via SESU during the window when vulnerable versions were in use
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/ed225173-0957-400a-a210-c643a1cde351
Schneider Electric Software Update (SESU) | CVSS 7.9 - OTPulse