Schneider Electric Closes Critical Vulnerability in HMI Products

US ICS-СERT has published an advisory stating that critical vulnerability CWE-121 in Schneider Electric products has been closed by the vendor. This is a stack-based buffer overflow vulnerability that can be exploited by attackers with a low skill level to remotely execute code with elevated privileges.

Schneider Electric has announced the release of updates for the following vulnerable products:

• SCADA/HMI application development platform InduSoft Web Studio v8.0 SP2 and prior versions;
• HMI InTouch Machine Edition v8.0 SP2 and prior versions.

These solutions are widely used by industrial facilities in many countries of the world and in many industries, including industrial manufacturing, electric power, water supply, automotive, oil and gas, building automation, etc.

Source: US-СERT