CISA warns of critical flaw in Schneider Electric PowerLogic PM55xx and PowerLogic PM8ECC powermeter
Take action: If you are running Schneider Electric PowerLogic powermeters and ethernet modules, review this advisory in detail. Patching may be very difficult if the powermeters are on location you need to update them all. So review the advisory and apply the mitigating measures. Then update them gradually as you service your powermeters.
Learn More
Schneider Electric has disclosed multiple security vulnerabilities affecting their PowerLogic PM55xx power metering devices and PowerLogic PM8ECC ethernet communication module. These vulnerabilities could potentially allow attackers to gain escalated privileges and obtain control of the affected devices.
Vulnerabilities summary:
- CVE-2021-22763 (CVSS score 9.5): A weak password recovery mechanism vulnerability that could allow unauthorized access and potential denial of service to legitimate system users
- CVE-2021-22764 (CVSS score 6.9): An improper authentication vulnerability that could expose sensitive information or enable remote code execution
The vulnerabilities impact multiple device models including:
- PM5560: Versions prior to v2.7.8
- PM5561: Versions prior to v10.7.3
- PM5562: v2.5.4 and prior
- PM5563: Versions prior to v2.7.8
- PM8ECC: All versions (Note: This product has reached end of service and is no longer supported)
Schneider Electric has released patches for most affected devices, with new firmware versions addressing these vulnerabilities. For immediate risk mitigation, users are advised to block HTTP access to devices at the firewall level or disable the HTTP web service. Then to update to the latest firmware versions:
- PowerLogic PM5560, 5563, 5580: Version 2.8.3
- PowerLogic PM5561: Version 10.7.3
- PowerLogic PM5562: Version 4.3.5
