OTPulse
FeedAboutContact

Ritto Wiser™ Door

Plan Patch8.8SEVD-2022-067-03Mar 8, 2022
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Schneider Electric Ritto Wiser™ Door contains a vulnerability (CWE-200: Information Exposure) that allows unauthorized door unlocking. The Ritto Wiser™ Door is a networked door communication and access control device used in facility management, accessible via both a wall-mounted panel and mobile app. Affected versions: all versions. The vulnerability can be exploited by an attacker on the local network without requiring authentication or user interaction. No vendor patch is available.

What this means
What could happen
An attacker with access to the local network could unlock physical doors controlled by the Ritto Wiser™ Door system without authentication, potentially allowing unauthorized entry to critical facilities.
Who's at risk
Facility managers and security personnel at energy sector sites (power plants, substations, distribution facilities) that use Ritto Wiser™ Door for access control should be concerned. This affects any organization relying on this door communication system for physical security of critical infrastructure or controlled areas.
How it could be exploited
An attacker on the same local network as a Ritto Wiser™ Door device could exploit an information disclosure or authentication bypass vulnerability to unlock the door. The attack requires no credentials and low complexity—the attacker sends a command to the device over the network to trigger the door unlock function.
Prerequisites
  • Network access to the local network segment where the Ritto Wiser™ Door device is connected
  • Device must be powered and operational
remotely exploitableno authentication requiredlow complexityno patch availableaffects physical security of critical infrastructure
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Ritto Wiser™ Door All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGIsolate the Ritto Wiser™ Door system and its network segment from the business network using firewalls and network segmentation
WORKAROUNDRestrict network access to the Ritto Wiser™ Door device: only allow connections from authorized control systems and administrative workstations, block all other inbound traffic
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGInstall physical access controls to prevent unauthorized personnel from accessing the device itself or the network it is connected to
HARDENINGMonitor and audit all network traffic to and from the Ritto Wiser™ Door device for unauthorized commands
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/6e1b96e0-2da1-45a1-aa02-dcfccdd76165
Ritto Wiser™ Door | CVSS 8.8 - OTPulse