Schneider Electric reports critical vulnerability in EcoStruxure IT Gateway
Take action: If you are running EcoStruxure IT Gateway, time for a quick patch. The advice of "placing it on protected access-controlled networks only" is useless, since it's main function is to allow integration of remote, even cloud and internet connected devices. This one won't pass "we have an OT network" argument. Just work through the patch, quickly.
Learn More
Schneider Electric has disclosed a critical security vulnerability in their EcoStruxure IT Gateway, a component of the EcoStruxure IT platform designed to connect and manage IT infrastructure devices in the cloud.
The flaw is tracked as CVE-2024-10575 (CVSS score 9.8) and is a Missing Authorization Vulnerability. It allows unauthorized access when the system is enabled on the network, potentially impacting connected devices and allowing retrieval of sensitive information. The vulnerability could result in complete control of the Gateway.
- EcoStruxure IT Gateway 1.21.0.6
- EcoStruxure IT Gateway 1.22.0.3
- EcoStruxure IT Gateway 1.22.1.5
- EcoStruxure IT Gateway 1.23.0.4
Note: Versions prior to 1.21.0.6 are not affected by this vulnerability.
The vulnerability impacts critical infrastructure sectors worldwide, including:
- Commercial Facilities
- Information Technology
- Healthcare and Public Health
- Critical Manufacturing
- Transportation Systems
- Energy
- Chemical
Schneider Electric has released version 1.23.1.10 to address this vulnerability. Users with automatic updates enabled do not need to take additional action. For those who cannot immediately update, the company recommends several mitigations:
- Place the Gateway software on protected access-controlled networks only
- Implement a local firewall to deny remote access to the web API
- Remove the Gateway software and install a clean build of version 1.23.1.10
CISA reports that there is no known public exploitation of this vulnerability at the time of disclosure.
