OTPulse
FeedAboutContact

SpaceLogic C-Bus Toolkit

Act Now9.8SEVD-2023-283-01Oct 10, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Multiple vulnerabilities exist in SpaceLogic C-Bus Toolkit versions 1.16.3 and prior that could allow remote code execution. The toolkit is used on personal computers to configure and commission C-Bus building automation and lighting installations. Exploitation could result in tampering with the C-Bus system configuration and control.

What this means
What could happen
An attacker who gains access to an engineering workstation running the toolkit could execute arbitrary code and tamper with C-Bus building automation and lighting configurations, potentially disabling controls or manipulating building systems.
Who's at risk
Building automation and lighting system engineers and technicians who use the SpaceLogic C-Bus Toolkit to configure and commission C-Bus installations. This affects facility managers and automation specialists in energy sector facilities with C-Bus home automation systems.
How it could be exploited
An attacker could exploit multiple vulnerabilities in the SpaceLogic C-Bus Toolkit application to gain remote code execution on the engineering workstation where the toolkit is installed. The attacker needs network access to the workstation and could leverage improper access control or path traversal flaws to execute commands with the permissions of the user running the toolkit.
Prerequisites
  • Network access to the workstation running SpaceLogic C-Bus Toolkit
  • The vulnerable version (1.16.3 or earlier) must be installed and potentially running
remotely exploitableno authentication requiredlow complexityhigh EPSS score (25.1%)affects control system configuration
Exploitability
High exploit probability (EPSS 25.1%)
Affected products (1)
ProductAffected VersionsFix Status
SpaceLogic C-Bus Toolkit V1.16.3 and prior≤ 1.16.31.16.4
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SpaceLogic C-Bus Toolkit to version 1.16.4 or later
HOTFIXReboot the PC after installation of the updated toolkit
Long-term hardening
0/2
HARDENINGRestrict network access to workstations running the C-Bus Toolkit to authorized engineering staff only
HARDENINGRun the C-Bus Toolkit only on isolated engineering workstations not connected to operational networks when not in active use
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/53965e6a-c612-4853-8501-c99dc55af3e5
SpaceLogic C-Bus Toolkit | CVSS 9.8 - OTPulse