OTPulse
FeedAboutContact

Power SCADA Anywhere

Low RiskSEVD-2023-129-04May 9, 2023
Summary

Multiple vulnerabilities exist in AVEVA Plant SCADA Access Anywhere, an optional web-based remote access component of Schneider Electric EcoStruxure Power Operation and Power SCADA Operation products. The vulnerabilities allow an attacker with network access to exploit the remote access interface.

What this means
What could happen
An attacker with network access to Power SCADA Anywhere could exploit vulnerabilities to gain unauthorized remote access to the SCADA system, potentially allowing them to view or modify operational data and system configurations.
Who's at risk
Energy utilities operating Schneider Electric EcoStruxure Power Operation or Power SCADA Operation systems with the optional Power SCADA Anywhere remote access component installed. This affects operators and system administrators who rely on remote SCADA access for monitoring and control of power generation, distribution, or industrial processes.
How it could be exploited
An attacker on the network could target the web-based remote access interface of Power SCADA Anywhere (port and authentication method not specified in advisory). Successful exploitation would grant access to the SCADA system backend, bypassing normal access controls.
Prerequisites
  • Network access to the Power SCADA Anywhere web interface
  • The component must be installed and enabled on an EcoStruxure Power Operation or Power SCADA Operation system
  • No specific authentication bypass mentioned, but exploitation method unclear from advisory
remotely exploitableweb-based remote accessno vendor patch status clarified for specific vulnerabilities
Affected products (1)
ProductAffected VersionsFix Status
Power SCADA Anywhere1.11.2
Remediation & Mitigation
0/4
Do now
0/3
HARDENINGPlace Power SCADA Anywhere and SCADA system networks behind firewalls and isolate from business network
HARDENINGRestrict network exposure—ensure Power SCADA Anywhere is not accessible from the Internet
HARDENINGIf remote access is required, enforce use of VPN with current security patches; verify VPN device and credentials are secure
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Power SCADA Anywhere from version 1.1 to version 1.2 or later
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/ba1f3c23-8e13-4dbb-a3ed-e35bc5699774