Easergy T300

Act Now10SEVD-2020-315-06Nov 10, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric's Easergy T300 RTU contains access control vulnerabilities (missing authentication and authorization checks) that allow unauthorized access to the device's internal LAN. The device is a modular platform used in medium and low voltage public distribution network management. Versions 2.7 and older are affected. The vulnerabilities stem from improper input validation (CWE-1021) and unencrypted sensitive data storage (CWE-311), potentially exposing configuration and operational data to network-level attackers.

What this means

What could happen

An attacker with network access could bypass authentication controls and gain unauthorized access to the Easergy T300's internal network, allowing them to view sensitive configuration data, modify control settings, or interrupt distribution network management functions.

Who's at risk

Electric utilities and municipal distribution operators managing medium and low voltage networks using Easergy T300 Remote Terminal Units should prioritize this fix. The vulnerability affects the platform's access control, putting network management and automation systems at risk.

How it could be exploited

An attacker on the network could send specially crafted requests to the Easergy T300 that exploit missing access controls (CWE-306, CWE-862) to reach internal network resources normally protected from external access. No authentication is required, and the attack succeeds through standard network protocols without special complexity.

Prerequisites

Network access to the Easergy T300 device
Device running firmware version 2.7 or older

Remotely exploitableNo authentication requiredLow complexityAffects critical energy infrastructureMissing access controlsDefault or weak credential handling

Exploitability

Low exploit probability (EPSS 1.0%)

Affected products (1)

ProductAffected VersionsFix Status

Easergy T300 2.7 and older≤ 2.72.7.1

Remediation & Mitigation

0/2

Do now

0/1

WORKAROUNDDisable port forwarding in the product firewall as a compensating control

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Easergy T300 to firmware version 2.7.1 or later from Schneider Electric Customer Care Center

CVEs (5)

CVE-2020-7561 CVE-2020-28215 CVE-2020-28216 CVE-2020-28217 CVE-2020-28218

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7a192082-5f2c-4528-9977-4708f1b5e20f