OTPulse
FeedAboutContact

EcoStruxure™ Power Monitoring Expert

Monitor6.7SEVD-2023-073-01Mar 14, 2023
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary

EcoStruxure Power Monitoring Expert and Power Operation contain a session expiration vulnerability (CWE-613) that fails to properly invalidate user sessions after expiration. An attacker who obtains or intercepts an expired session token can hijack the session and gain unauthorized access to the monitoring and control interfaces without providing valid credentials. This allows an attacker to view or potentially modify power system settings, monitoring configurations, and operational parameters.

What this means
What could happen
An attacker who gains access to an expired session token can hijack a user's authenticated session and access the Power Monitoring Expert interface without providing valid credentials, potentially viewing or modifying power system monitoring and control settings.
Who's at risk
Power utilities and energy-intensive facilities that use EcoStruxure Power Monitoring Expert or Power Operation for real-time energy management, power quality analysis, and operational monitoring. This includes municipal electric utilities, industrial facilities with on-premises power management systems, and data centers that rely on PME for power infrastructure visibility and control.
How it could be exploited
An attacker obtains or intercepts a session token from an active EcoStruxure Power Monitoring Expert user (through network sniffing, browser cache, or local access). The attacker then reuses this token to impersonate the user and interact with the PME interface after the legitimate session has expired, bypassing the session termination control.
Prerequisites
  • Local or network access to obtain/intercept session tokens
  • Knowledge of valid session token format or token from a legitimate user session
  • User interaction required for initial token capture (session must exist)
  • Access to the EcoStruxure Power Monitoring Expert web interface or API
Session expiration flaw allows unauthorized accessLow exploitation complexity requiredAffects on-premises power monitoring systemsRequires user interaction or network access to obtain session tokenLow current exploit probability (0.3% EPSS)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
EcoStruxure™ Power Monitoring Expert≤ 20222022 CU1
EcoStruxure™ Power Monitoring Expert20212022 CU1
EcoStruxure™ Power Monitoring Expert<20212022 CU1
EcoStruxure™ Power Operation≤ 2022 CU42022 CU5
EcoStruxure™ Power Operation≤ 2021 CU3 Hotfix 22022 CU5
Remediation & Mitigation
0/6
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure Power Monitoring Expert to version 2022 CU1 or later
HOTFIXUpdate EcoStruxure Power Monitoring Expert 2021 to version 2021 CU2 or later
HOTFIXUpdate EcoStruxure Power Operation to version 2022 CU5 or later
HOTFIXUpdate EcoStruxure Power Operation 2021 to version 2021 CU3 Hotfix 3 or later
Long-term hardening
0/2
HARDENINGImplement network segmentation to restrict access to PME interfaces to authorized engineering networks only
HARDENINGMonitor and audit PME session logs for suspicious activity or sessions from unexpected users
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/6f2af9e4-6585-482d-84e8-3f2bbef39b9c
EcoStruxure™ Power Monitoring Expert | CVSS 6.7 - OTPulse