OTPulse
FeedAboutContact

Easergy T300

Act Now6.8SEVD-2022-011-02Jan 11, 2022
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A buffer overflow vulnerability in Easergy T300 RTU firmware versions 2.7.1 and earlier allows arbitrary code execution. The Easergy T300 is a modular platform used for medium and low voltage public distribution network management. The vulnerability can result in denial of service or unauthorized command execution on the device. The 3G/4G hardware module, if enabled, presents an additional attack vector. Firmware version 2.8 contains a fix for this vulnerability.

What this means
What could happen
An attacker could execute arbitrary code on the Easergy T300 RTU, potentially disrupting network management operations, causing denial of service, or allowing unauthorized control of medium and low voltage distribution equipment.
Who's at risk
This vulnerability affects medium and low voltage distribution network operators, including municipal utilities and power distribution companies that rely on Easergy T300 RTUs for network management and monitoring. Any facility using Easergy T300 devices with firmware version 2.7.1 or earlier is at risk.
How it could be exploited
An attacker with adjacent network access could exploit a buffer overflow vulnerability (CWE-120) in the Easergy T300 to execute arbitrary code. If the 3G/4G hardware module is enabled, this module could be used as an attack vector; otherwise, exploitation requires direct network access to the device on the local segment.
Prerequisites
  • Adjacent network access to the Easergy T300 (AV:A indicates local network or adjacent network segment)
  • No credentials required (PR:N)
  • High complexity for exploitation but feasible (AC:H)
Remotely exploitable via local networkHigh EPSS score (65.4%)Buffer overflow (CWE-120)No authentication requiredAffects critical infrastructure (energy sector)Optional 3G/4G module can extend attack surface
Exploitability
High exploit probability (EPSS 65.4%)
Affected products (1)
ProductAffected VersionsFix Status
Easergy T300 <=2.7.1≤ 2.7.12.8
Remediation & Mitigation
0/2
Do now
0/1
WORKAROUNDDisable the 3G/4G hardware module until firmware upgrade is completed, if the module is currently enabled
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Easergy T300 firmware to version 2.8 or later
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/71a6b502-f502-48d1-b70c-9fb72c4e851f
Easergy T300 | CVSS 6.8 - OTPulse