OTPulse
FeedAboutContact

AccuSine PCSn/PCS+/PFV+

Plan Patch7.2SEVD-2021-222-05Aug 10, 2021
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

Schneider Electric AccuSine PCSn, PCS+, and PFV+ products contain an unnecessary FTP service that does not require strong authentication and is not needed for normal operation. An authenticated attacker with access to this FTP service could modify device configuration, leading to unexpected behavior or device failure. The vulnerability affects power quality and harmonic mitigation functions critical to electrical network stability.

What this means
What could happen
An attacker with valid admin credentials could access your power quality device via FTP and alter its configuration or disable it, disrupting harmonic mitigation and power factor correction across your electrical network.
Who's at risk
Energy sector operators managing electrical distribution networks with Schneider Electric AccuSine PCS+ and PFV+ power quality correction units and AccuSine PCSn harmonic mitigation devices should prioritize this vulnerability, as compromise could disrupt power factor and harmonic control across your facility.
How it could be exploited
An attacker with administrative credentials connects to the unused FTP service on the AccuSine device (default or unchanged admin password). Once connected, the attacker can read or modify device configuration files, potentially changing power quality settings or causing device failure.
Prerequisites
  • Valid administrative credentials (default password if not changed)
  • Network access to FTP port (typically port 21) on the AccuSine device
  • Device running vulnerable firmware version
Remotely exploitableRequires valid administrative credentialsDefault credentials likely in use at many sitesAffects critical power quality control infrastructureNo patch available initially (now patched)
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
AccuSine PCS+<1.6.71.6.7
AccuSine PFV+<1.6.71.6.7
AccuSine PCSn<2.2.42.2.4
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDChange the administrative password from the default value immediately, following the user manual instructions
HARDENINGRestrict network access to FTP port 21 on AccuSine devices using firewall rules until firmware is updated
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

AccuSine PCS+
HOTFIXUpgrade AccuSine PCS+ and PFV+ to firmware version 1.6.7 or later
AccuSine PCSn
HOTFIXUpgrade AccuSine PCSn to firmware version 2.2.4 or later
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/2871690d-fa68-4edd-97cd-d35d4ea45207
AccuSine PCSn/PCS+/PFV+ | CVSS 7.2 - OTPulse