OTPulse
FeedAboutContact

EcoStruxure IT Gateway

Plan Patch7.8SEVD-2024-044-03Feb 13, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

EcoStruxure IT Gateway contains a privilege escalation vulnerability (CWE-798: hardcoded credentials or password). A local attacker with low-privilege access can escalate to higher privileges and access the database, potentially compromising data integrity. Affected versions: 1.20.x and earlier.

What this means
What could happen
An attacker with local access to the gateway system could escalate privileges to access the device database and alter or steal monitored device data, potentially disrupting alarm notifications and data integrity across your smart building or facility monitoring infrastructure.
Who's at risk
Facilities managers, data center operators, and smart building administrators who rely on EcoStruxure IT Gateway for device monitoring and alarm notifications in energy, healthcare, and industrial facilities. This affects any organization using versions 1.20.x or earlier on Windows or Linux gateway systems.
How it could be exploited
An attacker with low-privilege local access to the EcoStruxure IT Gateway system can exploit hardcoded credentials or weak privilege controls to escalate to administrative access, then directly access the internal database to read, modify, or delete device records and alarm configurations.
Prerequisites
  • Local access to the EcoStruxure IT Gateway system
  • Low-privilege user account on the gateway system
hardcoded credentials (CWE-798)low complexity privilege escalationaffects data integrityhigh CVSS (7.8)database access risk
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
EcoStruxure IT Gateway≤ 1.20.x1.21
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure IT Gateway to version 1.21 or later
HOTFIXVerify after upgrade that EcoStruxure IT Gateway version is v1.21 or later
Long-term hardening
0/2
HARDENINGRestrict local system access to the gateway server to authorized personnel only
HARDENINGApply principle of least privilege: ensure users have only the minimum access level needed
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/4cecad2c-da9b-4659-be93-156f2ec0372f
EcoStruxure IT Gateway | CVSS 7.8 - OTPulse