EcoStruxure™ and SmartStruxure™ Power Monitoring and SCADA Software
Plan Patch8.4SEVD-2020-287-04Oct 13, 2020
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionRequired
Summary
Schneider Electric EcoStruxure™ and SmartStruxure™ Power Monitoring & SCADA Software products contain multiple vulnerabilities (CWE-284 improper access control, CWE-79 cross-site scripting) that could allow an attacker with high privileges and user interaction to execute code remotely and gain root-level access to the underlying operating system on the impacted server.
What this means
What could happen
An attacker with administrative credentials and user interaction could execute arbitrary code on your power monitoring or SCADA server, gaining complete control of the system and potentially disrupting visibility into power distribution, energy management, or SCADA operations.
Who's at risk
Electric utilities and power distribution operators using Schneider Electric EcoStruxure Power Monitoring Expert, EcoStruxure Energy Expert, EcoStruxure Power SCADA Operations, SmartStruxure Power Manager, or StruxureWare PowerSCADA Expert software for real-time monitoring and control of power systems. Affected organizations rely on these servers for visibility and management of electrical infrastructure.
How it could be exploited
An attacker with high-level privileges on the network would need to trick a user (through social engineering or UI manipulation) to perform an action that triggers the vulnerability. Once successful, the attacker gains code execution on the server with root-level permissions, allowing them to modify system configuration, access sensitive data, or disrupt monitoring capabilities.
Prerequisites
- High-privilege network access to the affected server
- Valid administrative or high-level user credentials
- User interaction required (social engineering or UI-based trigger needed)
- Network connectivity to the web interface or management port
Remotely exploitableHigh-privilege access required (reduces risk but not zero)No patch available for some versions (Power Manager 1.1–1.3, StruxureWare PowerSCADA Expert 8.x)Affects SCADA/power monitoring systemsRoot-level code execution potential
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (9)
4 with fix5 pending
ProductAffected VersionsFix Status
EcoStruxure™ Power Monitoring Expert9.02020
EcoStruxure™ Power Monitoring Expert8.x2020
EcoStruxure™ Power Monitoring Expert7.x2020
EcoStruxure™ Energy Expert2.03.0
Power Manager1.1No fix yet
Power Manager1.2No fix yet
Power Manager1.3No fix yet
StruxureWare™ PowerSCADA Expert with Advanced Reporting and Dashboards Module8.xNo fix yet
Remediation & Mitigation
0/5
Do now
0/2Power Manager
HARDENINGFor Power Manager (v1.1–1.3) and StruxureWare PowerSCADA Expert (v8.x), implement network segmentation to restrict administrative access to the SCADA server and limit connections to trusted engineering workstations only
WORKAROUNDFor Power Manager and StruxureWare PowerSCADA Expert products with no patch available, disable user interaction features or restrict access through firewall rules if operationally feasible
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpgrade EcoStruxure Power Monitoring Expert to version 2020 or later
HOTFIXUpgrade EcoStruxure Energy Expert to version 3.0 or later
HOTFIXUpgrade EcoStruxure Power SCADA Operations with Advanced Reporting and Dashboards Module to version 2020 or later
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/20c81b5d-7026-40cb-89a4-302e5ad08c8c