Harmony/Magelis iPC Series HMI, Vijeo Designer and Vijeo Designer Basic

Plan Patch7.1SEVD-2022-039-06Feb 8, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Schneider Electric reports an improper access control vulnerability in Harmony/Magelis iPC Series HMI and Vijeo Designer software. The installation directory has weak file permissions (ACLs) that allow local users to escalate privileges without authorization. This could allow a user with local access to the engineering workstation to gain administrative rights and potentially modify HMI project files or device configurations. Vijeo Designer is the configuration tool used to set up and manage Harmony/Magelis iPC Series HMI equipment.

What this means

What could happen

An attacker with local access to an engineering workstation running Vijeo Designer could escalate privileges by exploiting improper file permissions on the installation directory, potentially gaining unauthorized control over the HMI configuration or the connected Harmony/Magelis iPC hardware.

Who's at risk

This affects organizations using Schneider Electric Harmony/Magelis iPC Series HMI devices for manufacturing and energy control systems. Primary concern is engineering teams using Vijeo Designer (full or Basic versions) on Windows workstations to configure and maintain these HMI units. Affected personnel include control system engineers, system integrators, and configuration technicians with local workstation access.

How it could be exploited

An attacker with local workstation access exploits weak file permissions (ACLs) in the Vijeo Designer or Magelis iPC installation directory to modify files and escalate privileges from a regular user to administrative or system level. Once escalated, the attacker could modify HMI projects or device configurations before they are deployed to production equipment.

Prerequisites

Local access to engineering workstation running Vijeo Designer or Vijeo Designer Basic
No elevated credentials required—vulnerability can be exploited by any local user account
Vulnerable version of Vijeo Designer (before V6.2 SP11 Multi HotFix 4) or Vijeo Designer Basic (before v1.2.1) installed

Local privilege escalation possibleNo authentication required—any local user can exploitLow complexity attackAffects industrial control system configuration toolsCould allow unauthorized modification of HMI settings or deployed device configurations

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Harmony/Magelis iPC Series All VersionsAll VersionsVersion V6.2 SP11 Multi HotFix 4

Vijeo Designer All≤ V6.2 SP11 Multiple HotFix 4Version V6.2 SP11 Multi HotFix 4

Vijeo Designer Basic All<V1.2.1Version 1.2.1

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGReview and enforce proper file system permissions and access control lists on Vijeo Designer installation directories

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Vijeo Designer on engineering workstations to Version V6.2 SP11 Multi HotFix 4 or later using Schneider Electric Software Update (SESU) application

HOTFIXUpdate Vijeo Designer Basic to Version 1.2.1 or later (contact Schneider Electric Customer Care Center for installer)

HOTFIXAfter updating Vijeo Designer, connect to each Harmony iPC Series HMI device and download the project file with the patched software to apply fixes to the deployed device

Long-term hardening

0/1

HARDENINGRestrict local user access to engineering workstations running Vijeo Designer to authorized personnel only

CVEs (1)

CVE-2021-22817

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ddd73acb-3e66-4f14-8304-7ec788260190