homeLYnk (Wiser For KNX) and spaceLYnk

Plan PatchCVSS 8.6SEVD-2021-130-04May 11, 2021

Schneider ElectricEnergy

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Schneider Electric's homeLYnk (Wiser For KNX) and spaceLYnk building management systems contain multiple vulnerabilities related to cryptographic implementation, credential handling, and information disclosure (CWE-269, CWE-347, CWE-522, CWE-327, CWE-200). These flaws could allow an attacker to gain unauthorized access to the product and potentially modify building control functions. homeLYnk is a personalized energy efficiency solution supporting KNX, Modbus, BACnet, and IP protocols. spaceLYnk is a building management platform for small-to-large commercial buildings.

What this means

What could happen

An attacker could gain unauthorized remote access to homeLYnk or spaceLYnk building management systems, potentially allowing them to read sensitive data or modify building control settings like HVAC and lighting systems.

Who's at risk

Building managers and facility operators using Schneider Electric homeLYnk (Wiser For KNX) or spaceLYnk systems for energy management, HVAC control, or integrated building automation in small-to-large buildings should prioritize updates. This affects any organization managing heating, cooling, lighting, or other building systems through these products.

How it could be exploited

An attacker with local access to the device (or remote access if the management interface is exposed to the network) could exploit multiple cryptographic and credential handling flaws to authenticate without valid credentials or intercept sensitive data, then gain remote access to the product's command interface.

Prerequisites

Local or remote access to the homeLYnk or spaceLYnk device interface
The device must be running firmware version 2.60 or earlier

Affects building control systemsMultiple cryptographic weaknesses presentWeak credential handlingPotential remote access risk

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

homeLYnk (Wiser For KNX)≤ 2.602.61

spaceLYnk≤ 2.602.61

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

homeLYnk (Wiser For KNX)

HOTFIXUpdate homeLYnk (Wiser For KNX) to version 2.61 or later

spaceLYnk

HOTFIXUpdate spaceLYnk to version 2.61 or later

All products

HOTFIXReboot the device after firmware update installation

HARDENINGVerify the firmware version in the device configuration after update

CVEs (9)

CVE-2021-22732 CVE-2021-22733 CVE-2021-22734 CVE-2021-22735 CVE-2021-22736 CVE-2021-22737 CVE-2021-22738 CVE-2021-22739 CVE-2021-22740

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d3ee548c-b055-4781-acec-0471adaf71fe

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.