Researchers with cybersecurity company Tenable released a report on May 2, 2018 outlining critical remote code execution vulnerabilities in two Schneider Electric industrial control products. If exploited, this flaw could provide threat actors with the ability to severely disrupt or kill operations in affected systems.
The exploit is found in the company’s InduSoft Web Studio and InTouch Machine Edition. Schneider Electric has issued patches for both products.
InduSoft Web Studio a suite of tools that are used to automate the creation of human-machine interfaces (HMIs) and supervisory control and data acquisition systems (SCADAs). InTouch Machine Edition is software that helps users develop HMI/SCADA applications that are used to connect automation systems. According to Tenable, both software packages are widely deployed in sensitive industries such as in agriculture, oil, gas, and nuclear power, manufacturing, and physical security.
The vulnerability, which according to Threat Post rates a 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), allows an attacker to remotely execute arbitrary code on the system. This could lead to the full compromise of the server, and, open the network to lateral movement, allowing the threat actor to execute additional attacks.
Schneider Electric recognizes this as a critical vulnerability and is urgently recommending that users of the software install the patches as soon as humanly possible. Though there are no known instances of this vulnerability being exploited in the wild, it’s bound to happen now that there is a proof of concept.