EcoStruxure™ Power Monitoring Expert and EcoStruxure™ Power Operation or EcoStruxure™ Power SCADA Operation with Advanced Reporting and Dashboards
Monitor5.4SEVD-2024-254-02Sep 10, 2024
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
A cross-site scripting (XSS) vulnerability exists in EcoStruxure Power Monitoring Expert (PME), EcoStruxure Power Operation (EPO), and EcoStruxure Power SCADA Operation (PSO) products. An authenticated attacker could inject malicious web code that executes in the browser of a logged-in user, potentially allowing execution of unauthorized commands or data exfiltration. The vulnerability affects on-premises deployments of these power monitoring and control platforms used in critical infrastructure facilities.
What this means
What could happen
An attacker with valid user credentials could inject malicious code into the web interface of these power monitoring and control systems, potentially executing arbitrary commands or causing unintended changes to operational settings.
Who's at risk
Electric utilities and water authorities using Schneider Electric EcoStruxure Power Monitoring Expert, Power Operation, or Power SCADA Operation software for energy management and monitoring. Specifically impacts facilities using the web-based dashboards and reporting modules to view real-time power data and manage distribution systems.
How it could be exploited
An authenticated user visits a specially crafted web page or clicks a malicious link within the EcoStruxure Power Monitoring Expert, Power Operation, or Power SCADA Operation interface. The injected code runs in the user's browser with the privileges of the logged-in account, allowing the attacker to manipulate system settings, extract data, or perform unauthorized actions on behalf of that user.
Prerequisites
- Valid user account credentials for the EcoStruxure system
- Network access to the web interface (port 443 typical for HTTPS)
- User must visit a malicious link or page (requires user interaction)
- Vulnerable version must be deployed
Remotely exploitable via web interfaceRequires valid user credentialsLow complexity attackMultiple products with no patch available (end-of-life)Web-based interface accessible to multiple user roles
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (7)
3 with fix4 pending
ProductAffected VersionsFix Status
EcoStruxure™ Power Monitoring Expert (PME) 2021 CU1 and prior≤ 2021 CU12021 CU2
EcoStruxure™ Power Monitoring Expert (PME) 2020 CU3 and prior≤ 2020 CU3No fix yet
EcoStruxure™ Power Operation (EPO) 2022 CU4 and prior≤ 2022 CU42022 CU5
EcoStruxure™ Power Operation (EPO) 2022 – Advanced Reporting and Dashboards Module 2022 CU4 and prior≤ 2022 CU4No fix yet
EcoStruxure™ Power Operation (EPO) 2021 CU3 Hotfix 2 and prior≤ 2021 CU3 Hotfix 22021 CU3 Hotfix 3
EcoStruxure™ Power Operation (EPO) 2021 – Advanced Reporting and Dashboards Module 2021 CU3 Hotfix 2 and prior≤ 2021 CU3 Hotfix 2No fix yet
EcoStruxure™ Power SCADA Operation 2020 (PSO) - Advanced Reporting and Dashboards Module All VersionsAll versionsNo fix yet
Remediation & Mitigation
0/6
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
EcoStruxure™ Power Operation (EPO) 2022 CU4 and prior
HOTFIXFor EcoStruxure Power Operation with Advanced Reporting and Dashboards Module: independently update the bundled EcoStruxure Power Monitoring Expert component to the fixed version
All products
HOTFIXEcoStruxure Power Monitoring Expert 2021: Update to version CU2 or later; EcoStruxure Power Monitoring Expert 2022: Use latest version
HOTFIXEcoStruxure Power Operation 2022: Update to version CU5 or later
HOTFIXEcoStruxure Power Operation 2021: Update to version CU3 Hotfix 3 or later
HARDENINGImplement input validation and output encoding at the network perimeter or via web application firewall rules to detect and block common cross-site scripting (XSS) attack patterns
Long-term hardening
0/1EcoStruxure™ Power Monitoring Expert (PME) 2021 CU1 and prior
HARDENINGFor end-of-life products (PME 2020 CU3, EPO 2022 with Advanced Reporting Module, PSO 2020 with Advanced Reporting Module): isolate systems from untrusted networks and implement network access controls to restrict web interface access to authorized engineering workstations only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d161c8ac-7702-471c-ba18-7d0bfe6459a5