PowerLogic PM5500 and PowerLogic PM8ECC

Plan Patch8.1SEVD-2021-159-02Jun 8, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Schneider Electric PowerLogic PM55xx and PM8ECC products contain a vulnerability allowing elevation of privileges. Affected devices include power metering units (PM5560, PM5561, PM5562, PM5563) and an ethernet communication module (PM8ECC). The vulnerability is triggered via HTTP access to the device web interface and could result in loss of control of the affected device.

What this means

What could happen

An attacker with network access to the device could gain administrative control and alter power metering readings or disable the device, disrupting billing and power monitoring for your facility.

Who's at risk

Electric utilities and municipal power authorities should prioritize this advisory. All organizations using Schneider Electric PowerLogic PM5560, PM5561, PM5562, PM5563 power meters and PM8ECC ethernet communication modules for power distribution monitoring and billing are affected. Buildings and industrial sites with these metering devices are also at risk.

How it could be exploited

An attacker with HTTP network access to the power metering device sends a crafted request to the web interface. Due to insufficient authentication or authorization controls, the attacker can escalate privileges and execute commands on the device or modify its configuration.

Prerequisites

Network connectivity to the device on the HTTP port (typically port 80)
Device must have HTTP web service enabled (default configuration)
No valid credentials required for initial access

remotely exploitableno authentication requiredaffects critical infrastructure meteringhigh CVSS 8.1no patch available for PM5561, PM5563, and PM8ECC

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (6)

5 with fix1 EOL

ProductAffected VersionsFix Status

PowerLogic PM5561<10.7.310.7.3

PowerLogic PM5560<2.7.82.8.3

PowerLogic PM5562 v2.5.4 and prior≤ 2.5.4<4.3.5

PowerLogic PM5562<4.3.5<4.3.5

PowerLogic PM5563<2.7.82.8.3

PowerLogic PM8ECC All VersionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDBlock HTTP access to PM55xx and PM8ECC devices at the firewall level

WORKAROUNDDisable HTTP web service on affected devices if not required for operations

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

PowerLogic PM5560

HOTFIXUpdate PowerLogic PM5560 firmware to version 2.8.3 or later

PowerLogic PM5561

HOTFIXUpdate PowerLogic PM5561 firmware to version 10.7.3 or later

PowerLogic PM5562

HOTFIXUpdate PowerLogic PM5562 firmware to version 4.3.5 or later

PowerLogic PM5563

HOTFIXUpdate PowerLogic PM5563 firmware to version 2.8.3 or later

Mitigations - no patch available

0/1

PowerLogic PM8ECC All Versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment power metering devices on a dedicated management network isolated from general corporate network

CVEs (2)

CVE-2021-22763 CVE-2021-22764

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7afb7bb3-5e52-4aad-a77b-b4aea885867b