AT&T Labs Compressor (XMilI) and Decompressor (XDemill) used by EcoStruxureTM Control Expert, EcoStruxureTM Process Expert and SCADAPack RemoteConnect™ for x70
Low RiskSEVD-2021-222-02Aug 1, 2021
Summary
Schneider Electric's EcoStruxure Control Expert, EcoStruxure Process Expert, and SCADAPack RemoteConnect for x70 use vulnerable AT&T Labs Compressor (XMilI) and Decompressor (XDemill) components for project file handling. An attacker can craft a malicious project file that, when opened by a valid user on the engineering workstation, executes arbitrary code with elevated privileges. This could allow the attacker to modify control logic, alter setpoints, or disrupt operations on connected industrial devices.
What this means
What could happen
An attacker with access to an engineering workstation could execute malicious code with elevated privileges if a user opens a crafted project file, potentially allowing the attacker to alter control logic, modify setpoints, or disrupt operations on connected industrial equipment.
Who's at risk
Engineering teams at utilities and water authorities using Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, or SCADAPack RemoteConnect for x70 on engineering workstations are affected. This impacts anyone who receives or exchanges project files—particularly those in environments where project collaboration or remote engineering access occurs.
How it could be exploited
An attacker creates a malicious project file (.project or similar) that exploits a flaw in the AT&T Labs Compressor/Decompressor components used to process files. When a valid engineering workstation user opens this file in EcoStruxure Control Expert, Process Expert, or SCADAPack RemoteConnect, the malicious payload executes with the privileges of the engineering application, potentially gaining elevated system access.
Prerequisites
- Local or network access to the engineering workstation
- Ability to deliver a crafted project file to the engineering workstation user (via email, shared drive, or other means)
- Valid engineering workstation user must open or load the malicious project file
No authentication required to exploit (user interaction only)Low complexity attack (requires crafting a malicious file)Elevated privilege execution on engineering workstationAffects safety-critical engineering and control logic design
Exploitability
Moderate exploit probability (EPSS 6.7%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
EcoStruxure™ Control Expert <15.1 HF001<15.1 HF00115.1 HF001
EcoStruxure™ Process Expert <2021<20212021
SCADAPack RemoteConnect™ for x70 <R2.7.3<R2.7.3R2.7.3
Remediation & Mitigation
0/9
Do now
0/3HARDENINGStore project files in secure storage with access restricted to trusted users only
HARDENINGUse secure communication channels (e.g., SFTP, HTTPS, signed transfers) when exchanging project files over the network
HARDENINGOnly open project files from trusted sources; instruct users not to open unsolicited project files or files from unknown senders
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate EcoStruxure Control Expert to version 15.1 HF001 or later
HOTFIXUpdate EcoStruxure Process Expert to version 2021 or later
HOTFIXUpdate SCADAPack RemoteConnect for x70 to version R2.7.3 or later
Long-term hardening
0/3HARDENINGCompute and regularly verify file hashes of project files to detect unauthorized modifications before loading
HARDENINGHarden the engineering workstation running EcoStruxure Control Expert or Process Expert (e.g., disable unnecessary services, apply OS security patches, restrict user privileges)
HARDENINGIf using Unity Pro, strongly consider migrating to EcoStruxure Control Expert
CVEs (13)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4de93c5f-3e10-4caf-b280-b6d45b7b46d8