ICSA-17-180-02 · Published 2019-01-08 · View on CISA ICS-CERT ↗

Schneider Electric U.motion Builder (Update A)

CVSS 10.0 CRITICAL CISA KEV — Known Exploited

Risk Summary

A successful exploit of these vulnerabilities could allow an attacker to execute arbitrary commands or compromise the confidentiality, integrity, and availability of the system.

CVEs (22)

CVE-2017-7973 CVE-2018-7765 CVE-2018-7766 CVE-2018-7767 CVE-2018-7768 CVE-2018-7769 CVE-2018-7772 CVE-2018-7773 CVE-2018-7774 CVE-2017-7974 CVE-2018-7763 CVE-2018-7764 CVE-2018-7770 CVE-2018-7771 CVE-2017-9956 CVE-2017-9957 CVE-2017-9958 CVE-2017-9959 CVE-2017-9960 CVE-2018-7776 CVE-2018-7777 CVE-2017-7494

Remediations

Schneider Electric's security notice SEVD-2017-178-01 is available
Firmware update Version 1.3.4, which includes fixes for most of these vulnerabilities, has been released. It is highly recommended that U.motion Builder users apply the patch in a timely manner.
The firmware is available for download
U.motion server firmware update Version 1.3.4 is available

Affected Vendors

Schneider Electric Software, LLC

Affected Products (1)

Schneider Electric Software, LLC · U.motion Builder <= 1.2.1

Affected Sectors

Commercial Facilities, Critical Manufacturing, and Energy

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more