ICSA-15-020-02
·
Published 2025-06-06
·
View on CISA ICS-CERT ↗
Schneider Electric ETG3000 FactoryCast HMI Gateway Vulnerabilities
CVSS 10.0
CRITICAL
CVEs (2)
Remediations
- Schneider Electric has produced an updated firmware, labelled V1.60 IR 04. This firmware release moves the jar files directory in a secure area. The new firmware also includes the ability to disable the FTP server. This updated firmware can be downloaded at: http://www.schneider-electric.com/download/WW/EN/details/681790255-TSXETG30xx-V160-IR4/?showAsIframe=trueandreference=ETG30xxV160-IR04 Schneider Electric recommends the FTP server be deactivated when not needed. The firmware update does not remove the hard-coded credentials. Narendra Shinde also found that configuration files were accessible using default credentials. Schneider Electric recommends users change the default login credentials. This will protect configuration files from unauthorized access.
Affected Vendors
Schneider Electric
Affected Products (4)
Schneider Electric
·
TSXETG3000
vers:all/*
Schneider Electric
·
TSXETG3010
vers:all/*
Schneider Electric
·
TSXETG3021
vers:all/*
Schneider Electric
·
TSXETG3022
vers:all/*
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more