Schneider Electric EcoStruxure, EcoStruxure Process Expert, SCADAPack RemoteConnect for x70

Risk Summary

The successful exploitation of these vulnerabilities on the affected products could lead to the execution of malicious files, which could result in code execution with elevated privileges.

CVEs (13)

Remediations

• AT&T Labs have stated this software is longer supported and recommends vendors to move away from using it.
• EcoStruxure Control Expert V15.1 HF001 or later.
• EcoStruxure Process Expert V2021 or later.
• SCADAPack RemoteConnect for R2.7.3 or later (Users no longer need to update the RemoteConnect application when a Control Expert update is present.)
• Securely store the project files and restrict access to trusted users.
• Use secure communication channels when exchanging files over the network,.
• Only open project files received from trusted sources.
• Compute a hash of the project files and regularly check the consistency of this hash to verify integrity before usage.
• Harden the workstation running EcoStruxure Control Expert or Unity Pro.
• Users using Unity Pro should consider migrating to EcoStruxure Control Expert.
• Harden the workstation running EcoStruxure Process Expert.
• Harden the workstation running SCADAPackRemoteConnect for x70
• See the Schneider Electric Security Notification, number SEVD-2021-222-02 for more information.

Affected Vendors

Affected Products (3)