SAGE RTU

Act Now9.8SEVD-2024-163-05Jun 11, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SAGE RTU products contain multiple vulnerabilities (CWE-787, CWE-22, CWE-276, CWE-252, CWE-120, CWE-125) affecting firmware versions C3414-500-S02K5_P8 and earlier. The SAGE RTU is a hardware device that collects utility substation information from various devices and relays it to a SCADA platform. These vulnerabilities could lead to total compromise of the affected device, resulting in loss of data, loss of operations, or degraded device performance.

What this means

What could happen

An attacker could remotely compromise SAGE RTU devices without authentication, potentially gaining complete control to manipulate substation data collection, disrupt SCADA visibility, or alter operational parameters sent to the utility control center.

Who's at risk

This affects utility companies operating Schneider Electric SAGE RTU devices (models 1410, 1430, 1450, 2400, 3030 Magnum, and 4400) at substations. These are commonly used in electric utilities and water authorities for remote terminal units that gather telemetry from protection relays, meters, and control equipment.

How it could be exploited

An attacker on the network can send crafted packets to the SAGE RTU's network interface to trigger buffer overflows, path traversal, or memory corruption issues. Exploitation requires only network access; no credentials or authentication are needed. Once exploited, the attacker could execute arbitrary code on the device.

Prerequisites

Network-level access to the SAGE RTU device (typically on substation network or management VLAN)
No authentication required
Attacker can craft malicious packets to trigger the vulnerability

remotely exploitableno authentication requiredlow complexitycritical CVSS 9.8affects SCADA data integrity and availabilityaffects substation equipment

Exploitability

Moderate exploit probability (EPSS 1.2%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

Sage 1410≤ C3414-500-S02K5 P8C3414-500-S02K5_P9

Sage 1430≤ C3414-500-S02K5 P8C3414-500-S02K5_P9

Sage 1450≤ C3414-500-S02K5 P8C3414-500-S02K5_P9

Sage 2400≤ C3414-500-S02K5 P8C3414-500-S02K5_P9

Sage 3030 Magnum≤ C3414-500-S02K5 P8C3414-500-S02K5_P9

Sage 4400≤ C3414-500-S02K5 P8C3414-500-S02K5_P9

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to SAGE RTU management interfaces using firewall rules; limit to authorized engineering workstations and SCADA master stations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply firmware update C3414-500-S02K5_P9 to all affected SAGE RTU devices

Long-term hardening

0/1

HARDENINGPlace SAGE RTU devices on a dedicated, air-gapped substation network segment isolated from corporate IT networks

CVEs (6)

CVE-2024-37036 CVE-2024-37037 CVE-2024-37038 CVE-2024-37039 CVE-2024-37040 CVE-2024-5560

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7d330637-37b8-457e-bcc9-5826b79c4b20