Critical Infrastructure Security, Network Security, Vulnerability Management

Mitigation available for flaw in building automation system

Paris-based industrial control manufacturer Schneider Electric has released updated firmware to patch a remotely exploitable vulnerability for its StruxureWare Building Expert building automation system. The multipurpose management device enables 24/7 monitoring of HVAC, lighting and metering systems.

Independent researcher Artyom Kurbatov revealed that the application passes user credentials unencrypted in plaintext between the server and client machines. Thus, attackers can obtain user logon credentials, according to an advisory from the Industrial Control System Cyber Emergency Response Team (ICS-CERT).

Kurbatov attested that the updated firmware patches the flaw, which has not yet been publicly exploited.

Versions of the device earlier than 2.15 are vulnerable, ICS-CERT said, designating it with its highest warning, a Common Vulnerability Scoring System (CVSS) score of 10.0.

Schneider Electric has urged all customers to upgrade its MPM to the newly released v2.15 or higher.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.