EcoStruxure Power Monitoring Expert and EcoStruxure™ Power Operation with Advanced Reporting and Dashboards Module
Plan Patch8.2SEVD-2023-318-02Nov 14, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Multiple vulnerabilities in Schneider Electric EcoStruxure Power Monitoring Expert (PME), EcoStruxure Power Operation (EPO), and EcoStruxure Power SCADA Operation (PSO) Advanced Reporting and Dashboards Module. These vulnerabilities enable Cross Site Scripting (XSS) and open redirect attacks that could result in account takeover or code execution in user browsers.
What this means
What could happen
An attacker could trick a user into clicking a malicious link to execute scripts in the browser context of the monitoring dashboard or redirect them to a phishing site, potentially compromising operator credentials or manipulating the displayed system state without affecting the actual control systems.
Who's at risk
Energy sector operators using Schneider Electric's EcoStruxure Power Monitoring Expert, Power Operation, or Power SCADA Operation software to monitor and control electrical distribution systems and facility power loads. Primarily affects the on-premises monitoring and dashboarding functions used by power engineers and facility operators.
How it could be exploited
An attacker crafts a malicious URL containing XSS payload or open redirect parameters and sends it to an operator or administrator. When the operator clicks the link and authenticates to the PME/EPO/PSO web interface, the payload executes in the operator's browser with their privileges, or the user is silently redirected to a credential-harvesting site.
Prerequisites
- User must click on attacker-supplied malicious link
- Operator or administrator must be authenticated to the EcoStruxure web interface
- User must accept any browser warnings or trust the initial domain
remotely exploitablelow complexityrequires user interactioncan lead to credential compromise
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (4)
3 with fix1 pending
ProductAffected VersionsFix Status
EcoStruxure™ Power Monitoring Expert (PME)≤ 2021 CU12021 CU2
EcoStruxure™ Power Monitoring Expert (PME) 2020≤ 2020 CU22020 CU3
Advanced Reporting and Dashboards Module for EcoStruxure™ Power Operation≤ 2021 CU12021 CU2
Advanced Reporting and Dashboards Module for EcoStruxure™ Power SCADA Operation (PSO) 2020 or 2020 R2 Note 1: Power SCADA Operation and Power Operation without the Advanced Reporting and Dashboards Module are not affected. Note 2: Advanced Reporting and Dashboards Module is equivalent to EcoStruxure™ Power Monitoring Expert.≤ 2020 CU2No fix yet
Remediation & Mitigation
0/7
Do now
0/3EcoStruxure™ Power Monitoring Expert (PME)
WORKAROUNDRestrict web interface access to PME/EPO/PSO to trusted networks and IP ranges using firewall rules
All products
HARDENINGEducate operators to verify URLs before clicking links in emails or messages related to system access
WORKAROUNDImplement Web Application Firewall rules to detect and block XSS and open redirect attempts targeting the EcoStruxure interfaces
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
EcoStruxure™ Power Monitoring Expert (PME)
HOTFIXUpdate EcoStruxure Power Monitoring Expert (PME) to version 2021 CU2 or later
HOTFIXUpdate EcoStruxure Power Monitoring Expert (PME) 2020 to version 2020 CU3 or later
All products
HOTFIXUpdate Advanced Reporting and Dashboards Module for EcoStruxure Power Operation to version 2021 CU2 or later
HOTFIXUpdate Advanced Reporting and Dashboards Module for EcoStruxure Power SCADA Operation 2020/2020 R2 to version 2020 CU3 or later
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b455c8d2-acd7-4b45-8d4a-8569742e47a5