Wiser Smart

Act Now9.4SEVD-2022-130-03May 10, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric has identified multiple vulnerabilities in Wiser Smart home automation products (EER21000 and EER21001, versions 4.5 and earlier) that can lead to root-level access and arbitrary code execution. The vulnerabilities are associated with hardcoded credentials (CWE-798), weak password validation (CWE-307), improper authentication (CWE-287), and missing input validation (CWE-20). No vendor patch is available for these products.

What this means

What could happen

An attacker could gain root-level access to Wiser Smart devices and execute arbitrary code, potentially disrupting energy consumption monitoring and control of critical building systems like HVAC and appliances.

Who's at risk

Building and facility managers, energy companies, and utilities that deploy Wiser Smart home automation systems (EER21000 and EER21001 models) for energy consumption monitoring and control of HVAC, lighting, and appliance loads.

How it could be exploited

An attacker with network access to a Wiser Smart device (EER21000 or EER21001 running version 4.5 or earlier) can exploit hardcoded credentials, weak password validation, or improper access controls to gain root access without authentication, then execute arbitrary commands on the device.

Prerequisites

Network access to the Wiser Smart device (port and service not specified)
Device running Wiser Smart version 4.5 or earlier
No special credentials or user interaction required

Remotely exploitableNo authentication requiredLow complexity attackRoot-level code execution possibleNo patch availableAffects building automation and energy management

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

Wiser Smart≤ 4.5No fix yet

Remediation & Mitigation

0/6

Do now

0/4

HARDENINGIsolate Wiser Smart devices and the networks they operate on behind firewalls, separate from business networks and internet access

HARDENINGRestrict network access to Wiser Smart devices using firewall rules and access control lists—only permit connections from authorized management workstations

HARDENINGEnsure Wiser Smart devices are not accessible from the internet; use air-gapping or VPN with multi-factor authentication if remote access is required

HARDENINGNever leave devices in Program mode; return to Run mode after maintenance

Long-term hardening

0/2

HARDENINGImplement physical access controls: lock cabinets containing devices and prevent unauthorized personnel from accessing the devices or programming interfaces

HARDENINGScan all removable media (USB drives, CDs) for malware before connecting to networks with Wiser Smart devices

CVEs (6)

CVE-2022-30234 CVE-2022-30235 CVE-2022-30238 CVE-2022-30236 CVE-2022-30237 CVE-2022-30233

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/071c2d46-62e5-4077-93f0-7567dfa4b446