Schneider Electric EcoStruxure Operator Terminal Expert runtime (Vijeo XD)

Risk Summary

Successful exploitation of this vulnerability may allow unauthorized command execution by a local user of the Windows engineering workstation, which could result in loss of availability, confidentiality, and integrity of the workstation where EcoStruxure Operator Terminal Expert runtime is installed.

CVEs (1)

Remediations

• Schneider Electric has prepared Version 3.1 Service Pack 1B of the EcoStruxure Operator Terminal Expert product with a fix for this vulnerability. This fix is also available through Schneider Electric Software Update (SESU). If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:
• Use EcoStruxure Operator Terminal Expert runtime software only on a trusted workstation.
• Harden workstation following the best cybersecurity practices (antivirus, updated operating systems, strong password policies, application white listing software, etc.) by following Schneider Electric's best practices guidelines.
• Use Windows PC with UEFI technology. Users can identify if their PC uses the UEFI technology by using the following system command: msinfo32.exe provided by Microsoft Windows. This command provides the system information. The section BIOS mode displays either “UEFI” or “LEGACY”. If the value is UEFI, the PC is not vulnerable, if the value is LEGACY then the PC is vulnerable.
• If the value is UEFI, the PC is not vulnerable, if the value is LEGACY then the PC is vulnerable.
• For further information please refer to SEVD-2020-315-02.

Affected Vendors

Affected Products (2)

Affected Sectors

Commercial Facilities, Energy, Food and Agriculture, Government Facilities, Transportation Systems, Water and Wastewater Systems