Paris-based industrial control manufacturer Schneider Electric has released updated firmware to patch a remotely exploitable vulnerability for its StruxureWare Building Expert building automation system. The multipurpose management device enables 24/7 monitoring of HVAC, lighting and metering systems.

Independent researcher Artyom Kurbatov revealed that the application passes user credentials unencrypted in plaintext between the server and client machines. Thus, attackers can obtain user logon credentials, according to an advisory from the Industrial Control System Cyber Emergency Response Team (ICS-CERT).

Kurbatov attested that the updated firmware patches the flaw, which has not yet been publicly exploited.

Versions of the device earlier than 2.15 are vulnerable, ICS-CERT said, designating it with its highest warning, a Common Vulnerability Scoring System (CVSS) score of 10.0.

Schneider Electric has urged all customers to upgrade its MPM to the newly released v2.15 or higher.