OTPulse
FeedAboutContact

Zelio Soft 2

Plan Patch7.8SEVD-2024-282-06Oct 8, 2024
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Schneider Electric Zelio Soft 2 contains use-after-free and improper input validation vulnerabilities (CWE-416, CWE-20) in versions before 5.4.2.2. The software is used to program, simulate, monitor, and manage Zelio Logic smart relays (SR2/SR3) in automation and energy control systems. Exploitation could allow local code execution, resource exhaustion, information disclosure, or denial of service.

What this means
What could happen
An attacker with local access to a computer running Zelio Soft 2 could execute arbitrary code with the privileges of the user running the software, potentially disrupting engineering work, altering relay logic programs, or exfiltrating automation designs.
Who's at risk
Energy sector operations and utilities using Zelio Logic smart relays (SR2/SR3) with engineering workstations running Zelio Soft 2 for programming and configuration. This affects maintenance teams and control system engineers who use the software to design, test, and deploy relay logic programs.
How it could be exploited
An attacker with local access to an engineering workstation or programming computer exploits a use-after-free or improper input validation flaw in Zelio Soft 2 by tricking an operator into opening a malicious file or project. The vulnerability allows the attacker to execute arbitrary code on that workstation. From there, the attacker could modify relay logic programs before they are downloaded to Zelio Logic smart relays (SR2/SR3), affecting field operations.
Prerequisites
  • Local access to the engineering workstation running Zelio Soft 2
  • User must open or interact with a malicious file or project in the software
  • Zelio Soft 2 version earlier than 5.4.2.2
Use-after-free vulnerabilityLocal code executionRequires user interaction (malicious file)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Zelio Soft 2<5.4.2.25.4.2.2
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Zelio Soft 2 to version 5.4.2.2 or later using the Schneider Electric Software Update (SESU) application or by downloading from the product page
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/a90a67b8-79fe-4c45-94c7-29ebad566d87