EcoStruxureTM Control Expert, EcoStruxureTM Process Expert, SCADAPack RemoteConnect™ for x70
Plan Patch7.8SEVD-2021-257-01Sep 14, 2021
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Multiple vulnerabilities exist in EcoStruxure Control Expert, EcoStruxure Process Expert, and SCADAPack RemoteConnect for x70 that stem from improper handling of project files. The primary risk is path traversal (CWE-22) that allows an attacker to manipulate project files in ways that could alter controller logic, inject commands, or cause denial of service disrupting communication between Modicon/SCADAPack controllers and engineering workstations. Affected products include EcoStruxure Control Expert (used to program Modicon M340, M580, M580S, Premium, Momentum, and Quantum PLCs), EcoStruxure Process Expert (a DCS for water, mining, cement, power, chemical, and oil/gas), and SCADAPack RemoteConnect (used to program SCADAPack 470, 474, 570, 574, 575 RTUs).
What this means
What could happen
An attacker could modify engineering project files or cause communication disruptions between controllers and engineering workstations, potentially disrupting control system operations or allowing unauthorized changes to PLC/RTU logic.
Who's at risk
Water utilities, electric utilities, oil and gas operators, and mining/cement facilities that use Schneider Electric's EcoStruxure Control Expert for Modicon M340/M580/Premium/Quantum PLCs, EcoStruxure Process Expert for DCS operations, or SCADAPack RemoteConnect for managing SCADAPack 470/474/570/574/575 RTUs should apply these patches. Engineering and operations teams who create or exchange project files are most directly affected.
How it could be exploited
An attacker with access to project files (via network share, email, or removable media) could manipulate them to inject malicious commands into the Modicon controller or SCADAPack RTU. The vulnerability requires user interaction—the engineer must open a compromised project file in EcoStruxure Control Expert, Process Expert, or RemoteConnect on a Windows workstation. Once opened, the attacker's code executes with the privileges of the logged-in user.
Prerequisites
- Local access to the workstation running EcoStruxure Control Expert, Process Expert, or RemoteConnect
- Ability to place or intercept a malicious project file (.prj, .xml, or similar) where an engineer will open it
- User must open the malicious file in the affected software
- No valid engineering credentials required if file access is obtained
Low attack complexity (file-based, no network intrusion required)Requires user interaction (engineer must open file)Affects critical automation software used in safety-related environmentsDefault non-admin configuration reduces severity but does not eliminate riskPath traversal vulnerability (CWE-22) can allow writing to unintended system locations
Exploitability
Low exploit probability (EPSS 1.0%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
EcoStruxure™ Control Expert≤ V15.0 SP1V15.1
EcoStruxure™ Process Expert≤ V2020=>2021
SCADAPack RemoteConnect™ for x70<R2.7.3=>R2.7.3
Remediation & Mitigation
0/8
Do now
0/4WORKAROUNDStore all project files in secure storage with restricted access limited to trusted engineering staff only
WORKAROUNDUse secure communication protocols (VPN, SFTP, or encrypted channels) when exchanging project files over the network
WORKAROUNDCompute and verify checksums on all project files before opening them to detect unauthorized modifications
HARDENINGRun EcoStruxure software without administrator privileges to limit impact if files are extracted to system folders
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpgrade EcoStruxure Control Expert to version V15.1 or later
HOTFIXUpgrade EcoStruxure Process Expert to version 2021 or later
HOTFIXUpgrade SCADAPack RemoteConnect for x70 to version R2.7.3 or later
Long-term hardening
0/1HARDENINGHarden engineering workstations running RemoteConnect with standard endpoint security controls (host firewall, antivirus, disable unnecessary services)
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/59126f9d-d830-4423-b199-b1581513c396