Wiser Home Automation

Low RiskSEVD-2025-133-02May 13, 2025

Summary

Schneider Electric Wiser AvatarOn 6K Freelocate and Wiser Cuadro H 5P Socket products contain a vulnerability in the Silicon Labs Gecko Bootloader. The vulnerability is a buffer overflow that could allow persistent code execution if an attacker gains access to the device.

What this means

What could happen

An attacker with physical or network access to the device could execute malicious code persistently, potentially compromising home automation functions and any connected systems. This poses a risk to device availability and integrity.

Who's at risk

Home automation users with Schneider Electric Wiser AvatarOn 6K Freelocate battery-powered pushbutton or Wiser Cuadro H 5P Socket smart plug/outlet products. These are consumer-grade home automation devices, not industrial controls, but may be used in home networks alongside other sensitive systems.

How it could be exploited

An attacker would need to exploit a buffer overflow in the Gecko Bootloader during the boot process or through a networked interface to inject and execute code. Physical access to USB or LAN ports could also facilitate exploitation.

Prerequisites

Physical access to USB or LAN ports on the device, or network access if remotely exploitable vector exists in bootloader
Ability to trigger the bootloader or submit specially crafted input to vulnerable boot code

No patch availableBuffer overflow vulnerabilityPersistent code execution possibleDefault credentials riskPhysical access exploitation possible

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

Wiser Cuadro H 5P Socket All versionsAll versionsNo fix (EOL)

Wiser AvatarOn 6K Freelocate All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/4

HARDENINGChange the default admin password immediately when the device is first received and after any factory reset. Use a strong password with uppercase, lowercase, numbers, and special characters (minimum 20 characters)

HARDENINGDeploy the device only on a personal home network and ensure it does not have a publicly accessible IP address

WORKAROUNDDo not use port forwarding to access the device from the public internet

HARDENINGRestrict physical access to the device by securing USB and LAN ports to prevent unauthorized access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGPlace the device on its own network segment using a guest network or VLAN if your router supports it

HARDENINGEnable the strongest available Wi-Fi encryption (WPA3 or WPA2/3 with protected management frames)

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Wiser Cuadro H 5P Socket All versions, Wiser AvatarOn 6K Freelocate All versions. Apply the following compensating controls:

HARDENINGSchedule regular reboots of routing devices, smartphones, and computers on the network

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aa7ca857-9648-4737-9e96-4bf9974bde2a