Schneider Electric Altivar Products, ATVdPAC Module, ILC992 InterLink Converter (Update B)

Risk Summary

Schneider Electric is aware of a vulnerability in its [ATVdPAC module](http://www.se.com/ww/en/product/VW3A3530D/atv-dpac-module/) / [ATV6000 Medium Voltage Altivar Process Drives](http://www.se.com/ww/en/product-range/65607-altivar-process-atv6000) / [ATV630/650/660/680/6A0/6B0/6L0 Altivar Process Drives](http://www.se.com/ww/en/product-range/62317-altivar-process-atv600) / [ATV930/950/955/960/980/9A0/9B0/9L0 Altivar Process Drives](http://www.se.com/ww/en/product-range/63124-altivar-process-atv900) / [ATV340E Altivar Machine Drives](http://www.se.com/ww/en/product-range/63441-altivar-machine-atv340#products) /[ATS490 Altivar Soft Starter](http://www.se.com/ww/en/product-range/213421154-altivar-soft-starter-ats490) / [Altivar Process Communication Modules](http://www.se.com/ww/en/product-range/62317-altivar-process-atv600/117623851529-modular-drives-apm) product(s). Failure to apply remediation mitigations provided below may risk Cross-Site Scripting, which could result in partial loss of confidentiality and integrity of the workstation running a Web browser.

CVEs (1)

Remediations

• Version 25.0 of VW3A3530D: ATVdPAC module includes a fix for this vulnerability and is available upon request from Schneider Electric's [Customer Care Center](https://www.se.com/us/en/work/support/contacts.jsp).
• The version 4.5 of ATV6xx drives includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/product-range/62317-altivar-process-atv600/#software-and-firmware
• The version 4.5 of ATV9xx drives includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/product-range/63124-altivar-process-atv900/#software-and-firmware
• The version 4.5 of ATV340 drives includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/product-range/63441-altivar-machine-atv340/#software-and-firmware
• The version 1.2ie05 of ATS490 drives includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/download/document/ATS490-Firmware/
• If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit: • End user cybersecurity awareness and workstation protections • Deactivate the Webserver after use when not needed. • Setup network segmentation and implement a firewall to block all unauthorized access to port 80/HTTP • Use VPN (Virtual Private Networks) tunnels if remote access is required.
• Schneider Electric is establishing a remediation plan for all future versions of • ILC992 InterLink Converter • VW3A3720 & VW3A3721 Altivar Process Communication Modules that will include a fix for this vulnerability. We will update this document when the remediation is available. Until then, customers should immediately apply the following mitigations to reduce the risk of exploit: • End user cybersecurity awareness and workstation protections • Deactivate the Webserver after use when not needed. • Setup network segmentation and implement a firewall to block all unauthorized access to port 80/HTTP • Use VPN (Virtual Private Networks) tunnels if remote access is required.
• Version 2.2 of ATV6000 drives includes a fix for this vulnerability and is available upon request from Schneider Electric's [Customer Care Center](https://www.se.com/us/en/work/support/contacts.jsp).

Affected Vendors

Affected Products (47)

Affected Sectors

Critical Manufacturing