Harmony HMI and Pro-face HMI products

Plan Patch8.8SEVD-2024-345-02Dec 10, 2024

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability exists in Harmony HMI panels (HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7 with EcoStruxure Operator Terminal Expert) and Pro-face HMI panels (PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100 with Pro-face BLUE) due to obsolete third-party components. An authenticated attacker with network access could exploit this to execute arbitrary code on the HMI device, potentially resulting in loss of device control, data integrity, and confidentiality. All versions of these products are affected.

What this means

What could happen

An authenticated attacker with network access to a Harmony or Pro-face HMI panel could exploit a third-party component vulnerability to execute arbitrary code on the device, allowing them to alter production parameters, stop critical operations, or manipulate logged data across energy and manufacturing facilities.

Who's at risk

Energy utilities and manufacturing facilities operating Harmony HMI panels (HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7) or Pro-face HMI panels (PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100) for process visualization, control, and monitoring are affected. This includes all sites using these panels to manage critical machinery, production lines, or power distribution systems.

How it could be exploited

An attacker with valid engineering credentials could connect to the HMI panel's network interface and exploit the vulnerable third-party component to gain code execution. Once running commands on the panel, the attacker could modify setpoints, disable alarms, or interfere with supervisory functions that control connected PLCs and motors.

Prerequisites

Network connectivity to the HMI panel
Valid engineering or operator credentials (PR:L in CVSS)
No user interaction required once authenticated

Remotely exploitable over networkRequires valid credentials but no user interactionLow attack complexityNo vendor patch available (third-party component obsolescence)Affects production control and safety visibilityCVSS 8.8 (high severity)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

Harmony (Formerly Magelis) HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7 series with EcoStruxureTM Operator Terminal Expert runtime All versionsAll versionsNo fix yet

PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100 series with Pro-face BLUE runtime All versionsAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/4

HARDENINGIsolate HMI panels and control networks behind firewalls; prevent direct network access from business or external networks

HARDENINGRestrict physical access to HMI panels and PLCs using locked cabinets; ensure devices are never left in 'Program' mode

HARDENINGScan and validate all USB drives, portable media, and mobile devices before connecting to control networks

HARDENINGBlock all direct Internet access to HMI panels; use VPN only for remote access and keep VPN software current

Long-term hardening

0/1

HARDENINGImplement network segmentation so programming workstations are never connected to any network other than the control network

CVEs (1)

CVE-2024-11999

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/32337ab3-4969-4601-9fbe-a0e1fbd9b20c