C-Bus Toolkit and C-Gate Server

Act NowCVSS 8.8SEVD-2021-103-01Apr 13, 2021

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Schneider Electric C-Bus Toolkit (versions before 1.15.10) and C-Gate Server (versions before 2.11.8) allow remote code execution. The vulnerabilities involve file path traversal (CWE-22), improper permissions (CWE-732), and authentication issues (CWE-287). Exploitation could allow an attacker with network access and valid credentials to execute arbitrary commands on the engineering workstation or server, potentially enabling unauthorized control of C-Bus building automation systems.

What this means

What could happen

An attacker with network access and valid credentials could execute arbitrary code on the C-Bus Toolkit workstation or C-Gate Server, potentially compromising the engineering workstation and enabling unauthorized changes to C-Bus building automation configurations.

Who's at risk

Building automation system operators and integrators who use Schneider Electric's C-Bus Toolkit for configuring lighting, HVAC, and other C-Bus installations. This affects engineering workstations used for commission and configuration of C-Bus networks, primarily in commercial and institutional buildings (offices, schools, hospitals).

How it could be exploited

An attacker with network access to the C-Gate Server port and valid engineering credentials could exploit file path traversal or permission misconfigurations to write malicious code or scripts that execute with the application's privileges, gaining command execution on the host system.

Prerequisites

Network access to C-Gate Server on its listening port (typically 20000)
Valid C-Bus Toolkit or C-Gate Server user credentials
C-Bus Toolkit version below 1.15.10 or C-Gate Server version below 2.11.8 running on the target system

remotely exploitableauthentication required (reduces risk)high CVSS (8.8)EPSS 13.6% (above 10%)vendor patch availableaffects engineering workstations used to control building systems

Exploitability

Likely to be exploited — EPSS score 11.3%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

C-Bus Toolkit <1.15.9<1.15.91.15.10

C-Gate Server <2.11.7<2.11.72.11.8

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to C-Gate Server ports (default port 20000) to authorized engineering workstations only using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate C-Bus Toolkit to version 1.15.10 or later

HOTFIXUpdate C-Gate Server to version 2.11.8 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate C-Bus Toolkit and C-Gate Server systems from untrusted networks

CVEs (7)

CVE-2021-22716 CVE-2021-22717 CVE-2021-22718 CVE-2021-22719 CVE-2021-22720 CVE-2021-22748 CVE-2021-22796

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5cdb860e-744c-4a4b-8a2e-ee16b4c8e340

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.