Harmony/Magelis iPC Series HMI, Vijeo Designer and Vijeo Designer Basic
Plan PatchCVSS 7.1SEVD-2022-039-06Feb 8, 2022
Schneider ElectricEnergyManufacturing
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Schneider Electric reports an improper access control vulnerability in Harmony/Magelis iPC Series HMI and Vijeo Designer software. The installation directory has weak file permissions (ACLs) that allow local users to escalate privileges without authorization. This could allow a user with local access to the engineering workstation to gain administrative rights and potentially modify HMI project files or device configurations. Vijeo Designer is the configuration tool used to set up and manage Harmony/Magelis iPC Series HMI equipment.
What this means
What could happen
An attacker with local access to an engineering workstation running Vijeo Designer could escalate privileges by exploiting improper file permissions on the installation directory, potentially gaining unauthorized control over the HMI configuration or the connected Harmony/Magelis iPC hardware.
Who's at risk
This affects organizations using Schneider Electric Harmony/Magelis iPC Series HMI devices for manufacturing and energy control systems. Primary concern is engineering teams using Vijeo Designer (full or Basic versions) on Windows workstations to configure and maintain these HMI units. Affected personnel include control system engineers, system integrators, and configuration technicians with local workstation access.
How it could be exploited
An attacker with local workstation access exploits weak file permissions (ACLs) in the Vijeo Designer or Magelis iPC installation directory to modify files and escalate privileges from a regular user to administrative or system level. Once escalated, the attacker could modify HMI projects or device configurations before they are deployed to production equipment.
Prerequisites
- Local access to engineering workstation running Vijeo Designer or Vijeo Designer Basic
- No elevated credentials required—vulnerability can be exploited by any local user account
- Vulnerable version of Vijeo Designer (before V6.2 SP11 Multi HotFix 4) or Vijeo Designer Basic (before v1.2.1) installed
Local privilege escalation possibleNo authentication required—any local user can exploitLow complexity attackAffects industrial control system configuration toolsCould allow unauthorized modification of HMI settings or deployed device configurations
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
Harmony/Magelis iPC Series All VersionsAll VersionsVersion V6.2 SP11 Multi HotFix 4
Vijeo Designer All≤ V6.2 SP11 Multiple HotFix 4Version V6.2 SP11 Multi HotFix 4
Vijeo Designer Basic All<V1.2.1Version 1.2.1
Remediation & Mitigation
0/5
Do now
0/1HARDENINGReview and enforce proper file system permissions and access control lists on Vijeo Designer installation directories
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate Vijeo Designer on engineering workstations to Version V6.2 SP11 Multi HotFix 4 or later using Schneider Electric Software Update (SESU) application
HOTFIXUpdate Vijeo Designer Basic to Version 1.2.1 or later (contact Schneider Electric Customer Care Center for installer)
HOTFIXAfter updating Vijeo Designer, connect to each Harmony iPC Series HMI device and download the project file with the patched software to apply fixes to the deployed device
Long-term hardening
0/1HARDENINGRestrict local user access to engineering workstations running Vijeo Designer to authorized personnel only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ddd73acb-3e66-4f14-8304-7ec788260190Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.