Multiple Altivar Process Drives and Communication Modules
Monitor6.1SEVD-2025-252-01Sep 9, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
A Cross-Site Scripting (XSS) vulnerability exists in multiple Altivar Process Drives, Machine Drives, Soft Starters, and associated communication modules. The vulnerability affects the web interface of these drives. An attacker could inject malicious script code that executes in the browser of an operator or engineer accessing the drive's web interface, potentially compromising the integrity and confidentiality of workstation credentials or session data.
What this means
What could happen
An attacker could inject malicious code into the web interface of affected drives, which would execute in the browser of any operator or engineer accessing that interface. This could lead to unauthorized access to drive settings, theft of credentials, or manipulation of drive parameters.
Who's at risk
Energy sector organizations operating Schneider Electric Altivar Process Drives (ATV600 and ATV900 series), Altivar Machine Drives (ATV340E), Altivar Soft Starters (ATS490), ATVdPAC communication modules, and Altivar Process Communication Modules. This includes any facility using these drives for pump control, fan drives, compressor control, or other variable frequency drive (VFD) applications in water systems, power plants, or industrial processes.
How it could be exploited
An attacker crafts a malicious URL or injects script code into the drive's web interface (via parameter manipulation or stored XSS). When an operator or engineer visits the drive's web page in their browser, the malicious script executes in their browser context, allowing the attacker to capture session tokens, credentials, or modify displayed settings without the user's knowledge.
Prerequisites
- Access to the network where the affected drive's web interface is reachable
- An operator or engineer must visit a malicious URL or the compromised drive's web interface in their browser
- No special credentials required to exploit the vulnerability, though credentials may be the target
Remotely exploitable via web interfaceRequires user interaction (operator must visit malicious link or compromised page)Low complexity exploitNo authentication required to exploit the XSSMultiple products affected with no fix available for some variants
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (24)
20 with fix4 EOL
ProductAffected VersionsFix Status
ATVdPAC module<25.025.0
ATV630 Altivar Process Drives<4.54.5
ATV650 Altivar Process Drives<4.54.5
ATV660 Altivar Process Drives<4.54.5
ATV680 Altivar Process Drives<4.54.5
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDFor unpatched drives (ILC992, ATV6000, Altivar Process Communication Modules), restrict network access to the web interface using firewall rules; limit access to authorized engineering workstations only
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
ATVdPAC module
HOTFIXUpdate ATVdPAC module to version 25.0 or later
All products
HOTFIXUpdate ATV6xx series drives (ATV630/650/660/680/6A0/6B0/6L0) to firmware version 4.5 or later
HOTFIXUpdate ATV9xx series drives (ATV930/950/955/960/980/9A0/9B0/9L0/991/992/993) to firmware version 4.5 or later
HOTFIXUpdate ATV340E Machine Drives to firmware version 4.5 or later
HOTFIXUpdate ATS490 Altivar Soft Starter to firmware version 1.2ie05 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: ATV340E Altivar Machine Drives, Altivar Process Communication Modules All Versions, ILC992 InterLink Converter All Versions, ATV6000 Medium Voltage Altivar Process Drives All Versions. Apply the following compensating controls:
HARDENINGSegment the network so that drive web interfaces are only accessible from a protected engineering network, not from general corporate networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f14977f9-cd5f-4705-a5d6-cc04a06d3e60