OTPulse
FeedAboutContact

PowerLogic™ HDPM6000

Act Now9.8SEVD-2023-073-02Mar 14, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

PowerLogic™ HDPM6000 is vulnerable to a buffer overflow (CWE-129) in firmware versions 0.58.6 and earlier. An attacker could send a specially crafted input over the network to trigger the overflow, resulting in denial of service (device crash) or remote code execution on the power meter. The HDPM6000 is a high-density power meter used for multi-circuit busway and panelboard monitoring in electrical distribution systems.

What this means
What could happen
An attacker could exploit a buffer overflow in the HDPM6000 power meter to crash the device (denial of service) or execute arbitrary code on it, potentially allowing unauthorized monitoring, modification of power consumption data, or interference with facility power monitoring and billing systems.
Who's at risk
Electrical utilities and facilities management teams responsible for high-density busway and panelboard installations should review this advisory. Any facility using PowerLogic™ HDPM6000 multi-circuit power meters for power monitoring, load balancing, or billing is affected.
How it could be exploited
An attacker with network access to the HDPM6000 device could send a specially crafted input that overflows a buffer in the firmware, bypassing authentication controls. Successful exploitation could allow the attacker to run code with the privileges of the power meter, enabling data manipulation or device takeover.
Prerequisites
  • Network access to the HDPM6000 device on its management or data port
  • Device running firmware version 0.58.6 or earlier
  • No special credentials or configuration needed for exploitation
remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects power monitoring and control infrastructure
Exploitability
Moderate exploit probability (EPSS 1.7%)
Affected products (1)
ProductAffected VersionsFix Status
PowerLogic™ HDPM6000≤ 0.58.6>=0.58.7
Remediation & Mitigation
0/3
Do now
0/1
WORKAROUNDRestrict network access to HDPM6000 devices using firewall rules to only allow connections from authorized monitoring and management systems
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PowerLogic™ HDPM6000 firmware to version 0.58.7 or newer
Long-term hardening
0/1
HARDENINGImplement network segmentation to isolate power meters from general plant networks and external networks
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/4a3fbb5f-5167-48ba-bd87-5da4d1227c8a
PowerLogic™ HDPM6000 | CVSS 9.8 - OTPulse