EcoStruxure™ Power Operation 2021, EcoStruxure™ Power SCADA Operation 2020 and EcoStruxure™ Power SCADA Operation 2020 R2

Plan Patch7.1SEVD-2022-284-04Oct 11, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

A vulnerability exists in EcoStruxure Power Operation and Power SCADA Operation software due to improper input validation. An attacker could craft a malicious request to the server that bypasses input checks, potentially leading to data confidentiality loss, data integrity issues, or denial of access to the server. This affects on-premises deployments of Power Operation 2021, Power SCADA Operation 2020, and Power SCADA Operation 2020 R2.

What this means

What could happen

An attacker could alter the integrity of power system monitoring or control data, or prevent access to the SCADA server, disrupting visibility and management of medium and lower voltage power infrastructure.

Who's at risk

Electric utilities and energy infrastructure operators using EcoStruxure Power SCADA Operation 2020, 2020 R2, or Power Operation 2021 installations on-premises. This affects SCADA servers that monitor and control medium and lower voltage power systems. Operators of substations and power distribution facilities that rely on this software for supervisory control and data acquisition should prioritize assessment.

How it could be exploited

An attacker with network access to the EcoStruxure Power SCADA or Power Operation server could send a specially crafted request that bypasses input validation (CWE-20), allowing them to inject malicious data or commands that affect the server's operation or data integrity. User interaction may be required as part of the attack chain.

Prerequisites

Network access to the EcoStruxure Power Operation or Power SCADA Operation server
Server must be reachable from attacker's network location
User interaction or specific application state may be required to trigger exploitation

Remotely exploitableUser interaction requiredInput validation bypass (CWE-20)No patch available for some product versionsAffects power system visibility and control

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (6)

3 with fix3 pending

ProductAffected VersionsFix Status

EcoStruxure™ Power SCADA Operation 20202020No fix yet

EcoStruxure™ Power SCADA Operation 2020 CU12020 CU1No fix yet

EcoStruxure™ Power SCADA Operation2020 R2<CU1>=CU1

EcoStruxure™ Power Operation 2021 CU22021 CU22021 Cumulative Update 3 (CU3)

EcoStruxure™ Power Operation 20212021No fix yet

EcoStruxure™ Power Operation 2021 CU12021 CU12021 Cumulative Update 3 (CU3)

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade EcoStruxure Power SCADA Operation 2020 R2 to Cumulative Update 1 (CU1) or newer

HOTFIXUpgrade EcoStruxure Power Operation 2021 or 2021 CU1 to Cumulative Update 3 (CU3) or newer

Long-term hardening

0/2

HARDENINGFor EcoStruxure Power SCADA Operation 2020 and 2020 CU1 (no patch available), implement network segmentation to limit access to the SCADA server from authorized engineering workstations only

HARDENINGFor EcoStruxure Power Operation 2021 (non-CU version, no patch available), implement network segmentation to restrict access to the server

CVEs (1)

CVE-2022-22727

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/060a7900-da88-4ade-ad07-84b87a7ea6b3