OTPulse
FeedAboutContact

EcoStruxure Power Commission

Monitor6.5SEVD-2022-165-05Jun 14, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

EcoStruxure Power Commission software versions prior to V2.22 contain multiple vulnerabilities that could allow remote code execution and information disclosure. The software is used for setup, testing, and commissioning of low voltage power distribution switchboards. Versions V2.22 and later contain fixes for these issues.

What this means
What could happen
An attacker could gain unauthorized access to the switchboard commissioning process, potentially reading sensitive configuration data or executing commands that alter distribution settings. This could lead to power delivery disruptions or loss of critical operational parameters.
Who's at risk
Electrical utilities and power distribution facility engineers who use EcoStruxure Power Commission for low voltage switchboard commissioning and setup. This affects anyone managing or maintaining power distribution infrastructure that relies on this software for configuration and testing.
How it could be exploited
An attacker could deliver a malicious file through the software or trick an engineer into opening a crafted input that exploits the path traversal or resource handling flaws. Once exploited, the attacker could access sensitive files or run code in the context of the EcoStruxure Power Commission application.
Prerequisites
  • Network access to the workstation running EcoStruxure Power Commission
  • User interaction required (engineer must open or interact with malicious file)
  • Access to the switchboard or commissioning interface is not necessarily required
remotely exploitableuser interaction requiredaffects power distribution commissioninglow EPSS score (0.6%)
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (1)
ProductAffected VersionsFix Status
EcoStruxure Power Commission <V2.22<V2.22>=V2.22
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure Power Commission to version V2.22 or later
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/78e57122-d693-456f-a4ea-c1f31247f78e
EcoStruxure Power Commission | CVSS 6.5 - OTPulse