OTPulse
FeedAboutContact

Acti9 PowerTag Link C

Monitor6.8SEVD-2022-193-03Jul 12, 2022
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Schneider Electric's Acti9 PowerTag Link C has an improper access control vulnerability (CWE-269). The PowerTag Link C is a panel-mounted energy monitoring device used in electrical distribution systems. Failure to apply the fix allows an attacker to bypass access controls and potentially access other network-connected devices on the electrical panel network.

What this means
What could happen
An attacker could bypass access controls on the device and gain unauthorized access to your electrical panel network, potentially allowing them to access or manipulate other energy monitoring and control devices connected to the same network.
Who's at risk
Energy utilities and facility managers using Acti9 PowerTag Link C devices for electrical panel monitoring should prioritize updates. This affects any mid-size water authority or municipal electric utility with Schneider Electric-supplied panel instrumentation (devices A9XELC10-A or A9XELC10-B) managing power distribution monitoring and control.
How it could be exploited
An attacker with physical or network access to the Acti9 PowerTag Link C could exploit the improper access control to authenticate without valid credentials or escalate privileges, then pivot to other devices on the electrical panel network.
Prerequisites
  • Physical proximity or network access to the Acti9 PowerTag Link C device
  • Device must be running firmware version V1.7.5 or earlier (model A9XELC10-A) or V2.12.0 or earlier (model A9XELC10-B)
Improper access control vulnerabilityCould allow network pivot to other devicesAffects safety and operational integrity of electrical panels
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Acti9 PowerTag Link C (A9XELC10-A) <V1.7.5<V1.7.5V2.14.0
Acti9 PowerTag Link C (A9XELC10-B) <=V2.12.0≤ V2.12.0V2.14.0
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

Acti9 PowerTag Link C (A9XELC10-A) <V1.7.5
HOTFIXUpdate firmware to V2.14.0 on all Acti9 PowerTag Link C devices (both A9XELC10-A and A9XELC10-B models)
All products
HARDENINGMonitor firmware update status using the FESB mobile application to verify all devices have been patched
HOTFIXContact Schneider Electric Customer Care Center if automatic firmware updates fail or for assistance with manual updates
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/c20f927d-edfc-4d3d-8709-244339c26bff
Acti9 PowerTag Link C | CVSS 6.8 - OTPulse