EcoStruxure Building Operation (EBO)
Monitor6.7SEVD-2020-315-04Nov 10, 2020
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary
Schneider Electric EcoStruxure Building Operation (EBO) versions 1.9 through 3.1 contain multiple vulnerabilities including insecure file upload validation (CWE-434), cross-site scripting (CWE-79), unsafe XML processing (CWE-611), improper access controls (CWE-284), and untrusted deserialization (CWE-428). These flaws affect WebReports, Enterprise Server, Enterprise Central, and WebStation components. An authenticated attacker could upload malicious files, inject scripts, or exploit configuration weaknesses to compromise building control systems. Version 3.2 and later are not affected. For earlier versions, hotfix patches are available through the Schneider Electric Exchange Community.
What this means
What could happen
An attacker with valid building operation user credentials could upload malicious files, inject code into web interfaces, or exploit configuration vulnerabilities to gain control of building automation systems, potentially disrupting HVAC, lighting, and facility operations.
Who's at risk
Building automation operators and facility managers running Schneider Electric EcoStruxure Building Operation versions 1.9 through 3.1, including organizations that manage HVAC systems, lighting controls, and other building infrastructure through EBO dashboards (WebReports, WebStation) or central administration systems (Enterprise Server, Enterprise Central).
How it could be exploited
An authenticated attacker accesses the EBO web interface (WebReports, WebStation, or Enterprise Server) and exploits file upload validation flaws (CWE-434) to upload arbitrary files, or injects malicious scripts into web pages (CWE-79) that execute in other users' browsers. Alternatively, they could exploit XML processing or access control weaknesses to extract sensitive data or escalate privileges within the building control system.
Prerequisites
- Valid EBO user credentials (any privilege level that accesses the web interface)
- Network access to the EBO web application (WebReports, WebStation, or Enterprise Server)
- User interaction required for XSS attacks (victim must view injected page)
- Administrator access may be required for some file upload and configuration exploitation paths
Remotely exploitableAuthentication requiredUser interaction required for XSSMultiple vulnerability types (file upload, injection, access control)Low EPSS score (1.5%) but actively used in critical building systems
Exploitability
Moderate exploit probability (EPSS 1.5%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
WebReports V1.9 - V3.1≥ 1.9|≤ 3.13.2
Enterprise Server installer V1.9 - V3.1≥ 1.9|≤ 3.13.2
Enterprise Central installer V2.0 - V3.1≥ 2.0|≤ 3.13.2
WebStation V2.0 - V3.1≥ 2.0|≤ 3.13.2
Remediation & Mitigation
0/6
Do now
0/1WORKAROUNDRestrict network access to EBO web interfaces (WebReports, WebStation, Enterprise Server) to authorized engineering and administrative workstations only
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpgrade EcoStruxure Building Operation to version 3.2 or later
HOTFIXFor versions prior to 3.2, locate and apply the EBO Hotfix patch available on the Schneider Electric Exchange Community (community.exchange.se.com, search 'EBO Hotfix List')
Long-term hardening
0/3HARDENINGDisable unnecessary EBO web features and file upload functionality if not required for operations
HARDENINGImplement web application firewall rules to block malicious file uploads and detect XSS injection attempts targeting EBO interfaces
HARDENINGEnforce strong authentication and role-based access controls to limit EBO user privileges to the minimum necessary
CVEs (7)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/dc25c6d5-6d3b-4fbe-9428-f0208382d608