Insight Home and Insight Facility
Low RiskSEVD-2025-161-01Jun 10, 2025
Summary
Schneider Electric is aware of a vulnerability in a third-party Real-Time Operating System (RTOS) component utilized in the Insight Home and Insight Facility products. These are smart edge devices designed to operate within a secure local network environment. Failure to apply mitigations may result in improper operation of the device and loss of data.
What this means
What could happen
An attacker with access to the local network could exploit the RTOS vulnerability to cause improper device operation or corrupt data stored on these energy management devices. If the device controls load shedding or energy distribution, malfunction could disrupt power delivery or energy monitoring for residential or small commercial systems.
Who's at risk
Residential and small commercial building managers using Schneider Electric Insight Home (up to 6 power devices) or Insight Facility (larger residential and small commercial) smart edge devices for energy management and monitoring. Homeowners managing distributed energy systems or solar/battery assets connected through these devices.
How it could be exploited
An attacker on the same local network (home Wi-Fi or wired LAN) could target the RTOS component in the Insight Home or Facility device. The attacker would need network connectivity to the device and knowledge of the RTOS vulnerability; the advisory does not specify the technical details of the flaw. Once exploited, the attacker could alter device operation or access stored data.
Prerequisites
- Access to the local network segment where the device is connected (home Wi-Fi or Ethernet)
- Knowledge of the specific RTOS vulnerability (details not provided in advisory)
- Device must be reachable on the local network (not air-gapped)
Affects energy management and monitoring devicesNo patch available from vendorRequires local network access but vulnerable in typical home/small commercial network environmentsDefault credentials may not be changed by users
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
Insight Home All versionsAll versionsNo fix (EOL)
Insight Facility All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/8
Do now
0/3HARDENINGEnsure Insight Home and Facility devices are connected only to a home or business router with firewall enabled; never expose to the public internet.
HARDENINGDo not configure port forwarding or create public IP addresses for these devices; use only private IP ranges (10.x.x.x/8, 172.16.x.x/12, or 192.168.x.x/16).
HARDENINGChange the default Admin password immediately upon receipt and after any factory reset; use passwords with upper case, lower case, numbers, special characters, and minimum 20 characters.
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGPlace the device on a separate network segment (guest network or VLAN if supported by router) to isolate it from other home or office devices.
HARDENINGConfigure Wi-Fi with WPA3 encryption, or WPA2/3 with protected management frames; disable weaker encryption standards.
Long-term hardening
0/2HOTFIXApply regular security patches to home router and connected devices; monitor Schneider Electric security advisories for future updates.
WORKAROUNDSchedule regular reboots of router, smartphones, and computers to clear potential exploits from memory.
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Insight Home All versions, Insight Facility All versions. Apply the following compensating controls:
HARDENINGRestrict physical access to USB and Ethernet ports to prevent unauthorized device tampering or manual exploitation.
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/fa0e6362-402e-407a-9a59-7ad8139f737b