OTPulse
FeedAboutContact

Pro-face GP-Pro EX

Plan Patch7.3SEVD-2021-222-03Aug 10, 2021
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

Pro-face GP-Pro EX is an HMI Screen Editor and Logic Programming Software used to configure industrial control systems. A code execution vulnerability exists in the installer that could allow an attacker with local access to hijack the software installation process and execute code with elevated privileges.

What this means
What could happen
An attacker with local access to a workstation running the GP-Pro EX installer could execute arbitrary code with elevated privileges, potentially compromising HMI logic and control configurations used to operate industrial equipment.
Who's at risk
Energy and manufacturing companies that use Pro-face GP-Pro EX for HMI/SCADA configuration should care. This affects engineering workstations and configuration servers where HMI projects are developed and installed. Any site deploying or updating GP-Pro EX installations is at risk.
How it could be exploited
An attacker with local or low-privilege user access to a workstation running the GP-Pro EX installer could manipulate the installation process (likely through DLL injection, path traversal, or similar techniques) to execute arbitrary code with the elevated privileges of the installer, allowing modification of HMI configurations or injection of malicious logic into deployed systems.
Prerequisites
  • Local or low-privilege user account on the workstation where GP-Pro EX is being installed
  • Ability to modify installation files or environment during the install process
  • User interaction required (user must execute the installer)
Low complexity attackRequires local access or low-privilege user accountInstallation process requires user interactionCould allow code execution with elevated privileges
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
GP-Pro EX V4.09.250 and prior≤ 4.09.2504.09.300
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGVerify downloaded GP-Pro EX installer ISO files by computing and comparing file hash with official Pro-face download location before installation
HARDENINGRestrict access to the system and installation files to only authorized engineering personnel, applying least privilege principles
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Pro-face GP-Pro EX to version 4.09.300 or later
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/56054c22-d332-490a-917e-df83c8b36d18