IGSS (Interactive Graphical SCADA System)

Act Now9.8SEVD-2021-285-03Oct 12, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric IGSS Data Collector (dc.exe) contains multiple vulnerabilities related to buffer overflow (CWE-120), arbitrary file upload (CWE-434), path traversal (CWE-22), and missing authentication (CWE-306). These flaws could allow remote code execution on the Windows operating system hosting the IGSS component.

What this means

What could happen

An attacker could execute arbitrary code on the IGSS Data Collector, gaining control of the Windows machine running SCADA monitoring and process control logic. This could disrupt real-time monitoring of industrial processes or allow manipulation of control commands sent to PLCs.

Who's at risk

Water utilities, electric utilities, and manufacturing facilities using Schneider Electric IGSS for industrial process monitoring and control. This impacts any organization relying on IGSS Data Collector for SCADA operations, particularly those in energy and manufacturing sectors that depend on real-time process visibility and PLC communication.

How it could be exploited

An attacker with network access to the Data Collector can send a malicious request exploiting the buffer overflow or file upload vulnerability without authentication. Successful exploitation allows the attacker to execute arbitrary commands with the privileges of the process running dc.exe, typically SYSTEM or a privileged service account.

Prerequisites

Network access to the IGSS Data Collector (typical port 80 or 8080 for HTTP communication)
No authentication required - vulnerabilities are pre-authentication

Remotely exploitableNo authentication requiredLow complexity exploitationAffects SCADA monitoring and controlCritical CVSS score (9.8)

Exploitability

Moderate exploit probability (EPSS 2.5%)

Affected products (1)

ProductAffected VersionsFix Status

IGSS Data Collector (dc.exe) V15.0.0.21243 and prior≤ 15.0.0.2124315.0.0.21244

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDIf immediate patching is not possible, restrict network access to the IGSS Data Collector to only authorized engineering workstations and control network segments using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate IGSS Data Collector (dc.exe) to version 15.0.0.21244 or later

Long-term hardening

0/1

HARDENINGSegment the IGSS system onto a dedicated control network isolated from corporate IT networks and untrusted external connections

CVEs (4)

CVE-2021-22802 CVE-2021-22803 CVE-2021-22804 CVE-2021-22805

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b0c5fd69-62c8-4e94-84ee-ae3499e7d746