EcoStruxure Power Monitoring Expert and EcoStruxure™ Power

Act Now9.8SEVD-2023-283-02Oct 10, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric EcoStruxure Power Monitoring Expert (PME), EcoStruxure Power Operation (EPO), and EcoStruxure Power SCADA Operation with Advanced Reports contain an insecure deserialization vulnerability (CWE-502) affecting all versions prior to Hotfix-145271. The vulnerability allows unauthenticated remote code execution on the affected on-premises monitoring and control software platforms used in power systems.

What this means

What could happen

An attacker with network access to the affected software could execute arbitrary code with full system privileges, potentially compromising your power monitoring system, altering operational data, controlling connected equipment, or disrupting facility monitoring and power operations.

Who's at risk

This affects utilities and industrial facilities operating EcoStruxure Power Monitoring Expert (PME), Power Operation (EPO), or Power SCADA Operation with Advanced Reports. These are on-premises software platforms used by power system operators, energy-intensive facilities, and critical infrastructure to monitor medium and lower voltage power systems. Anyone with these Schneider Electric power monitoring or control systems installed should prioritize patching immediately.

How it could be exploited

An attacker sends a specially crafted network request containing malicious serialized objects to the vulnerable application. The application deserializes the untrusted data without proper validation, triggering code execution on the server hosting PME, EPO, or Power SCADA Operation. No authentication or user interaction is required.

Prerequisites

Network reachability to the EcoStruxure application port (HTTP/HTTPS)
Application running a vulnerable version (before Hotfix-145271)
No authentication required for exploitation

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (9.8)Unauthenticated remote code executionAffects power system monitoring and control

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

EcoStruxure™ Power Monitoring Expert (PME) All<Hotfix-145271Hotfix-145271

EcoStruxure™ Power Operation (EPO) with Advanced Reports All<Hotfix-145271Hotfix-145271

EcoStruxure™ Power SCADA Operation with Advanced Reports All<Hotfix-145271Hotfix-145271

Remediation & Mitigation

0/6

Do now

0/5

EcoStruxure™ Power Monitoring Expert (PME) All

HOTFIXApply Hotfix-145271 to all instances of EcoStruxure Power Monitoring Expert (PME 2023, 2022, 2021)

EcoStruxure™ Power Operation (EPO) with Advanced Reports All

HOTFIXApply Hotfix-145271 to all instances of EcoStruxure Power Operation (EPO 2022, 2021)

HOTFIXApply Hotfix-145271 to all instances of EcoStruxure Power SCADA Operation with Advanced Reports

All products

HOTFIXFor versions older than 2021, contact Schneider Electric Customer Care Center to determine upgrade or support path

WORKAROUNDConfigure firewall rules to limit inbound access to the EcoStruxure application ports from trusted networks only

Long-term hardening

0/1

HARDENINGImplement network segmentation to restrict access to EcoStruxure applications to only authorized engineering and monitoring workstations

CVEs (1)

CVE-2023-5391

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/86125067-5eb7-4aea-8209-0684c304bc46