PowerLogic Power Metering Products

Plan PatchCVSS 7.5SEVD-2021-040-01Feb 8, 2021

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric PowerLogic metering products (ION7400, ION7650, ION7700/73xx, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000, PM8000) contain two vulnerabilities: insecure Telnet protocol that transmits credentials in plaintext, and HTTP web interface with missing CSRF protections. These issues could allow credential disclosure and unintended device actions. Fixes are available for ION7400 (v3.0.0+), ION8650 (v4.40.1+), and ION9000 (v3.0.0+). ION7650, ION7700/73xx, ION83xx/84xx/85xx/8600, ION8800, and PM8000 have no patch available from the vendor.

What this means

What could happen

An attacker with network access to these metering devices could intercept unencrypted credentials transmitted over Telnet or HTTP, or trick an operator into performing unintended actions through the HTTP interface, potentially causing incorrect billing, power quality data manipulation, or unintended device configuration changes.

Who's at risk

Water and electrical utilities operating Schneider Electric PowerLogic metering devices (ION7400, ION7650, ION7700/73xx, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000, PM8000) should be concerned. These devices are critical for revenue metering and power quality monitoring in utility networks. Any compromise of metering data or settings directly impacts billing accuracy and operational visibility.

How it could be exploited

An attacker on the network intercepts Telnet sessions to capture operator credentials in plaintext, or sends a crafted HTTP request to the web interface to change device settings or trigger unintended actions, since these protocols lack encryption and HTTP requests lack CSRF protection.

Prerequisites

Network access to the metering device on port 23 (Telnet) or port 80 (HTTP)
No authentication required for initial network connection to exploitable services

remotely exploitableno authentication requiredlow complexityunencrypted credentials transmissionno patch available for most productsaffects critical metering infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (8)

3 with fix5 EOL

ProductAffected VersionsFix Status

ION7400 All<3.0.0v3.0.0

ION7650 All versionsAll versionsNo fix (EOL)

ION83xx/84xx/85xx/8600 All versionsAll versionsNo fix (EOL)

ION8650 V 4.31.2 and prior≤ 4.31.2v4.40.1

ION8800 All versionsAll versionsNo fix (EOL)

ION9000 All<3.0.0v3.0.0

PM8000 All<3.0.0No fix (EOL)

ION7700/73xx All versions. Note: Only affected by CVE-2021-22702 as these products do not support HTTP web functionality.All versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable Telnet service and use SSH instead where available

WORKAROUNDDisable HTTP service and enforce HTTPS-only communication

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade ION7400 firmware to v3.0.0 or later

HOTFIXUpgrade ION8650 firmware to v4.40.1 or later

HOTFIXUpgrade ION9000 firmware to v3.0.0 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ION7650 All versions, ION83xx/84xx/85xx/8600 All versions, ION8800 All versions, PM8000 All, ION7700/73xx All versions. Note: Only affected by CVE-2021-22702 as these products do not support HTTP web functionality.. Apply the following compensating controls:

HARDENINGRestrict network access to metering devices via firewall rules to only authorized engineering and management networks

CVEs (3)

CVE-2021-22701 CVE-2021-22702 CVE-2021-22703

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3312fb29-73c7-4e11-880f-4b062d68a51f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.