Conext™ Combox

Monitor7.5SEVD-2022-165-03Jun 14, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Conext™ ComBox contains multiple vulnerabilities (clickjacking, cross-site request forgery, rate limiting bypass) that could allow an attacker to trick users into performing unintended actions. The ComBox is a web-based communication and monitoring device for Conext solar systems. The product was discontinued in January 2020 and is no longer supported, with no security patches available. Successful exploitation could lead to account takeover or manipulation of solar system settings and monitoring data.

What this means

What could happen

An attacker could trick a ComBox user or administrator into performing unintended actions through clickjacking or forged requests, potentially leading to account takeover or unauthorized changes to solar system settings and monitoring data.

Who's at risk

Solar energy operators and installers who run Conext ComBox devices for monitoring and controlling Conext solar photovoltaic systems. This includes facility operators, maintenance technicians, and remote monitoring staff who access the ComBox web interface. Solar installation companies and integrators that manage multiple Conext installations are also at risk.

How it could be exploited

An attacker could craft a malicious web page or email that tricks a ComBox user into clicking hidden elements or submitting forged requests while logged into the web interface. These attacks exploit the lack of proper request validation and clickjacking defenses to manipulate system settings or capture administrative access.

Prerequisites

User or administrator must be logged into ComBox web interface
Attacker must be able to host a malicious web page or send a crafted email the user will visit while logged into ComBox
Network access to ComBox HTTP/HTTPS interface not required if social engineering is successful

no patch availableproduct end-of-life (discontinued January 2020)affects energy sector critical infrastructurelow complexity attacks (clickjacking, CSRF)could lead to account takeover and system configuration changes

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Conext™ ComBox All VersionsAll VersionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGEnsure ComBox is not accessible from the Internet and minimize its network exposure

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGImplement physical access controls: place ComBox in locked cabinet and ensure it never runs in Program mode during operation

HARDENINGUse VPN with secure authentication for any required remote access to ComBox

HARDENINGRestrict mobile device access to ComBox network; scan all removable media (USB, CD) before connecting to the control network

Mitigations - no patch available

0/1

Conext™ ComBox All Versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate ComBox and other control system networks behind firewalls, separated from business networks

CVEs (3)

CVE-2022-32515 CVE-2022-32516 CVE-2022-32517

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a4746367-0b41-4365-8cf6-bb7a0feaea4e