OTPulse
FeedAboutContact

Easergy Studio

Plan Patch7.8SEVD-2024-100-01Apr 9, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Easergy Studio versions 9.3.3 and earlier contain a vulnerability in how the application searches for libraries (unquoted search paths). An attacker with local access to an engineering workstation could exploit this to escalate privileges by placing a malicious library in the search path, allowing unauthorized command execution with elevated privileges. This vulnerability affects Easergy Studio, a software solution for configuring, monitoring, and managing control devices used in energy infrastructure.

What this means
What could happen
An attacker with local access to an engineering workstation running Easergy Studio could escalate privileges by exploiting how the application searches for libraries, potentially gaining full control of the workstation and the devices it manages.
Who's at risk
Energy sector operators and engineers using Schneider Electric Easergy Studio for configuring and managing control devices on engineering workstations. This primarily affects organizations that deploy substation automation and protection relays managed through Easergy Studio.
How it could be exploited
An attacker with local access to a Windows workstation running Easergy Studio could place a malicious library in an unquoted search path that the application uses. When Easergy Studio runs with higher privileges, it loads the attacker's library instead of the legitimate one, giving the attacker the same elevated privileges.
Prerequisites
  • Local access to the engineering workstation running Easergy Studio
  • User account with lower privileges than the Easergy Studio process
  • Write access to directories in the application's library search path
Local access requiredAffects engineering workstationsPrivilege escalation possibleLow attack complexity
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Easergy Studio v9.3.3 and prior≤ 9.3.39.3.4
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Easergy Studio to version 9.3.4 or later (current version 9.3.6 is available)
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/a5269fea-7096-497a-b783-f7f1a037523b