FlexNet Publisher Vulnerability

Plan Patch7.8SEVD-2025-014-07Jan 14, 2025

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric products embed the Revenera FlexNet Publisher licensing component, which contains a local privilege escalation vulnerability (CWE-427) in DLL loading. An attacker with local user access could exploit improper DLL search path handling to load a malicious DLL with elevated privileges. This could enable arbitrary code execution and compromise the integrity of PLC programs, SCADA configurations, and process control logic. Some Schneider products have no vendor fix available.

What this means

What could happen

An attacker with local access to an engineering workstation running vulnerable Schneider Electric software could escalate privileges and execute malicious code, potentially allowing them to modify PLC programs, process setpoints, or alter SCADA configurations without detection.

Who's at risk

Engineering staff and automation technicians who use Schneider Electric engineering software (Control Expert, Machine Expert, Vijeo Designer, Architecture Builder, OPC UA Server, and related tools) on Windows workstations. Also affects facilities using EcoStruxure™ Process Expert, Zelio Soft 2, and Pro-face BLUE for process control or device configuration. Any site with local users having access to these workstations is at risk.

How it could be exploited

The FlexNet Publisher licensing component embedded in Schneider software contains a local privilege escalation flaw. An attacker with local user access could exploit an insecure DLL loading mechanism to inject a malicious DLL that runs with elevated privileges, gaining full control of the engineering workstation and any connected industrial devices.

Prerequisites

Local user account on the engineering workstation
Access to a directory where the application searches for DLL files
Ability to write files to an unprotected directory in the DLL search path

Requires local access (not remotely exploitable)Low attack complexityAffects multiple engineering and SCADA software productsNo fix available for Process Expert, Machine Expert Safety, or Machine SCADA Expert variantsCould lead to unauthorized modification of industrial processes

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (15)

14 with fix1 EOL

ProductAffected VersionsFix Status

EcoStruxure™ Process Expert<20232023 (v4.8.0.5715)

EcoStruxure™ Process Expert for AVEVA System Platform All versionsAll versions2023 (v4.8.0.5715)

EcoStruxure™ Control Expert<16.216.2

EcoStruxure™ OPC UA Server Expert<SV2.01SP3SV2.01SP3

EcoStruxure™ Control Expert Asset Link<4.0 SP14.0SP1

EcoStruxure™ Architecture Builder<7.0.187.0.18

EcoStruxure™ Operator Terminal Expert<4.04.0

Vijeo Designer<6.3SP1 HF16.3SP1 HF1

Remediation & Mitigation

0/13

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Mitigations - no patch available

0/3

EcoStruxure™ Machine SCADA Expert Asset Link All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRestrict local user access to engineering workstations; limit accounts to only those requiring hands-on access

HARDENINGImplement file integrity monitoring on engineering workstation directories to detect unauthorized DLL placement

HARDENINGIsolate engineering workstations on a separate network segment with restricted access from general IT network

CVEs (1)

CVE-2024-2658

View full Schneider Electric advisory

↑↓ Navigate · Esc Close