Wiser Home Controller WHC-5918A

Act Now9.8SEVD-2024-191-01Jul 9, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Wiser Home Controller WHC-5918A contains a credential disclosure vulnerability (CWE-200) that allows attackers to extract stored credentials from the device. The product was discontinued on December 31, 2015, and Schneider Electric has not released a patch. An attacker with network access can potentially steal credentials, compromising the controller and the connected home automation systems. Schneider recommends network isolation, physical security controls, and secure remote access procedures as compensating controls since no software patch is available.

What this means

What could happen

An attacker with network access to the Wiser Home Controller could steal stored credentials, allowing them to compromise the device and potentially gain control of home automation systems including HVAC, lighting, and appliance management.

Who's at risk

Organizations operating the Wiser Home Controller WHC-5918A in residential or small commercial energy management deployments should be aware this product was discontinued in 2015 and has no vendor support. This primarily affects homeowners, small businesses, and facilities still relying on this aging home automation platform.

How it could be exploited

An attacker with network access to the WHC-5918A can extract stored credentials from the device through the vulnerability. Once credentials are obtained, the attacker can authenticate to the controller and modify automation rules, disable heating/cooling, or manipulate connected devices.

Prerequisites

Network access to the Wiser Home Controller WHC-5918A
Device must be operational and connected to network

remotely exploitableno authentication requiredlow complexityno patch availableend-of-life product with no vendor support

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Wiser Home Controller WHC-5918A All VersionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDNever leave the controller in Program mode when not actively in use

WORKAROUNDDisable remote access to the controller except through a secure VPN with current patches if absolutely necessary

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGPlace the controller in a locked cabinet or secure enclosure to prevent physical access

HARDENINGScan all removable media (USB drives, CDs) with antivirus before connecting to the network

Mitigations - no patch available

0/3

Wiser Home Controller WHC-5918A All Versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the Wiser Home Controller WHC-5918A and all C-Bus home automation networks behind a firewall, separated from the business network

HARDENINGImplement network segmentation to prevent internet-facing access to the controller; use air-gapping or VPN if remote access is needed

HARDENINGEstablish strict controls over which mobile devices and workstations can connect to the C-Bus network; do not allow devices that have connected to other networks without proper isolation

CVEs (1)

CVE-2024-6407

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/701a1aaf-c838-48db-a16e-31156b847ca8