Schneider Electric reports critical flaw in Wiser Home Controller WHC-5918A
Take action: If you are using Schneider Electric Wiser Home Controller WHC-5918A devices, be aware that they are critically vulnerable and won't be patched. As usual, make sure they are isolated from the internet and accessible only from trusted networks. Then make a full risk assessment and consider replacing them with supported and secured devices.
Learn More
Schneider Electric is reporting a critical security vulnerability affecting their Wiser Home Controller WHC-5918A product.
The flaw is tracked as CVE-2024-6407 (CVSS score 9.8) and enables attackers to disclose sensitive credentials by sending specially crafted messages to the vulnerable device. Successful exploitation could lead to unauthorized access to systems and potential compromise of connected infrastructure.
Schneider Electric has confirmed that all versions of the Wiser Home Controller WHC-5918A are affected by this vulnerability.
The Wiser Home Controller WHC-5918A has been discontinued and is no longer supported. Users are advised upgrade to the latest product offering: C-Bus, Home Controller, SpaceLogic IP, Free Standing, 24V DC, 5200WHC2 and remove the vulnerable Wiser Home Controller WHC-5918A from service entirely
CISA recommends implementing the following defensive measures to minimize exploitation risk:
- Minimize network exposure for all control system devices and systems
- Ensure control systems are not directly accessible from the Internet
- Place control system networks and remote devices behind firewalls
- When remote access is required, use secure methods such as Virtual Private Networks (VPNs)
