Critical vulnerability in Schneider Electric EcoStruxure Products

Schneider Electric is reporting a critical vulnerability in the EcoStruxure Power Monitoring and Operation Products. Executing a successful attack by exploiting this vulnerability could lead to remote code implementation by attackers.

The vulnerability is tracked as CVE-2023-5391 (CVSS v3 score 9.8). This vulnerability can be exploited from a remote location and doesn't require advanced skills. The core issue is untrusted data deserialization, so attackers could send a specially designed packet to the application to run arbitrary code on the intended system.

The following versions of Schneider Electric's EcoStruxure Power Monitoring Expert and Power Operation Products are vulnerable:

• EcoStruxure Power Monitoring Expert: Versions before the Hotfix-145271.
• EcoStruxure Power Operation, including Advanced Reports: Versions prior to the Hotfix-145271 application.
• EcoStruxure Power SCADA Operation with Advanced Reports: Versions leading up to Hotfix-145271.

Schneider Electric has provided solutions for the affected products via hotfixes to versions PME 2023, 2022, and 2021 for Power Monitoring Expert and versions EPO 2022 and 2021 for Power Operation with Advanced Reports. Customers using older versions should get in touch with the customer care for upgrade information.

Schneider Electric advocates for various cybersecurity measures:

• Using firewalls to separate control/safety system networks from the main business network.
• Implementing physical security measures.
• Safeguarding controllers and ensuring correct settings.
• Maintaining network hygiene and device sanitization.
• Avoiding unnecessary network exposure and ensuring no direct internet accessibility for control systems.
• Using VPNs for remote access while being aware of their vulnerabilities.