OTPulse
FeedAboutContact

SpaceLogic C-Bus Home Controller, formerly known as C-Bus Wiser Home Controller MK2

Act Now8.8SEVD-2022-193-02Jul 12, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A command injection vulnerability exists in the SpaceLogic C-Bus Home Controller (5200WHC2), formerly known as C-Bus Wiser Home Controller MK2. An authenticated attacker can inject arbitrary OS commands and achieve remote root-level code execution on the device. The vulnerability affects firmware version V1.31.460 and earlier. Remediation requires updating firmware using PICED installer V4.14.0 or later and applying a device reboot.

What this means
What could happen
An attacker with valid credentials can inject arbitrary OS commands into the C-Bus Home Controller, gaining root-level access to execute any commands and potentially disrupt home automation functions, control circuits, or access connected systems.
Who's at risk
Residential and small business automation operators using the SpaceLogic C-Bus Home Controller (5200WHC2) for controlling lighting, HVAC, security, and other home automation functions. Energy utilities deploying this device as part of home automation or demand-side management programs.
How it could be exploited
An attacker with valid engineering or administrative credentials connects to the SpaceLogic C-Bus Home Controller over the network and crafts a malicious input to a command-processing function. The injected OS command is executed with root privileges, allowing the attacker to run arbitrary code on the device.
Prerequisites
  • Valid engineering or administrative credentials for the C-Bus Home Controller
  • Network access to the C-Bus Home Controller management interface
  • Knowledge of input fields vulnerable to command injection
Remotely exploitableRequires valid credentialsLow complexity exploitationHigh EPSS score (93.8%)Root-level code executionOS command injection (CWE-78)
Exploitability
High exploit probability (EPSS 93.8%)
Affected products (1)
ProductAffected VersionsFix Status
SpaceLogic C-Bus Home Controller (5200WHC2) <=V1.31.460≤ V1.31.460V4.14.0
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGReview and restrict administrative credential access to authorized personnel only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SpaceLogic C-Bus Home Controller (5200WHC2) firmware using PICED installer V4.14.0 or later
Long-term hardening
0/1
HARDENINGIsolate the C-Bus Home Controller on a dedicated network segment with access controls to the management interface
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/55fed606-c2fe-495e-a3de-0e43d07734c4