OTPulse
FeedAboutContact

PowerLogic ION Setup

Plan Patch8SEVD-2022-130-01May 10, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

PowerLogic ION Setup contains an input validation flaw that could allow remote code execution on the engineering workstation running the software. ION Setup is used to configure and maintain PowerLogic metering devices.

What this means
What could happen
An attacker could execute arbitrary code on the engineering workstation running PowerLogic ION Setup, potentially compromising the ability to manage and update metering devices across your facility.
Who's at risk
Energy sector operators who use PowerLogic ION Setup to configure and maintain metering devices should prioritize this patch. This affects IT and engineering staff responsible for meter management and configuration on workstations in the control network.
How it could be exploited
An attacker with network access to a user running ION Setup can exploit an input validation flaw to execute code on that workstation. The CVSS vector indicates the attacker needs low-level user privileges and can trigger the vulnerability via user interaction (e.g., opening a malicious configuration file or network request).
Prerequisites
  • Network access to the engineering workstation running PowerLogic ION Setup
  • Low-privilege user account or the ability to interact with a logged-in ION Setup user
  • User interaction (e.g., opening a crafted file or accepting a network request)
remotely exploitablelow complexityuser interaction requiredaffects engineering workstations
Exploitability
Moderate exploit probability (EPSS 1.1%)
Affected products (1)
ProductAffected VersionsFix Status
PowerLogic ION Setup<3.2.22096.013.2.22096.01
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGBack up system configurations before applying the patch
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PowerLogic ION Setup to version 3.2.22096.01 or later
HARDENINGTest the patch in a development environment or offline system before applying to production engineering workstations
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/d2767fe7-27de-4b01-b3b1-2dc0b1b04ed9
PowerLogic ION Setup | CVSS 8 - OTPulse