EcoStruxure™ IT Gateway

Act Now9.8SEVD-2024-317-04Nov 12, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A missing authorization control in EcoStruxure™ IT Gateway allows unauthorized access to the Gateway and sensitive information retrieval. The vulnerability affects versions 1.21.0.6, 1.22.0.3, 1.22.1.5, and 1.23.0.4. This is a network-accessible vulnerability with critical severity (CVSS 9.8).

What this means

What could happen

An attacker could gain unauthorized control of the EcoStruxure™ IT Gateway and extract sensitive data from your IT infrastructure monitoring system, potentially compromising visibility into critical equipment like power distribution and cooling systems across your facilities.

Who's at risk

This advisory affects energy sector organizations (utilities, generation facilities, large industrial plants) that use Schneider Electric's EcoStruxure™ IT platform to monitor and manage IT infrastructure supporting critical systems. Any facility using the Gateway to collect data from network devices, servers, or monitoring equipment should prioritize remediation.

How it could be exploited

An attacker with network access to the Gateway can exploit the missing authorization control to access the application without credentials, then execute administrative actions or retrieve sensitive configuration and monitoring data.

Prerequisites

Network access to the EcoStruxure™ IT Gateway
No credentials required

Remotely exploitableNo authentication requiredLow complexityCritical CVSS score (9.8)Missing authorization controlAffects cloud-connected monitoring infrastructure

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

EcoStruxure™ IT Gateway1.21.0.6; 1.22.0.3; 1.22.1.5; 1.23.0.41.23.1.10

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the EcoStruxure™ IT Gateway to authorized IT management subnets using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade EcoStruxure™ IT Gateway to version 1.23.1.10 or later

Long-term hardening

0/1

HARDENINGEnable automatic updates in EcoStruxure™ IT Gateway configuration to receive future security patches promptly

CVEs (1)

CVE-2024-10575

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/90388648-b5dc-4b9e-9549-0a6bc65a95ab