Security advisory: Uncovering a critical privilege escalation vulnerability in Schneider Electric engineering applications

Discovery date: January 14, 2025

Executive summary 
 
Schneider Electric's Vijeo Designer and Easergy Studio software have been found to contain significant security vulnerabilities. Vijeo Designer, a crucial Human-Machine Interface (HMI) engineering software used in industrial settings, has a high-severity flaw in its privilege management system. This vulnerability allows non-admin users to tamper with system files and potentially gain unauthorized access to critical systems. Similarly, Easergy Studio, used for managing protection relays and substation automation devices, suffers from improper privilege management, posing a serious risk to industrial operations. 
 
In response, the Cybersecurity and Infrastructure Security Agency (CISA) has issued two ICS advisories emphasizing the urgency of mitigation efforts. The vulnerabilities were discovered by Charit Misra of DNV Cyber. Schneider Electric has released updates to fix these issues, and it is crucial for organizations using these products to apply the recommended patches and follow best practices for securing their operational technology (OT) environments. 

Alerts issued 
CISA:  CVE-2024-8306 & CVE-2024-9002  
 
Improper privilege management vulnerabilities in Schneider Electric software 
 
Schneider Electric's engineering applications, Vijeo Designer and Easergy Studio, have been found to contain significant security vulnerabilities related to improper privilege management. 
 
Vijeo Designer: All versions prior to 6.3 SP1 of this key HMI engineering software, used in industrial environments including EcoStruxure™ Machine Expert systems, are affected. The identified vulnerability, classified as High (CVSS 7.8), arises from improper privilege management by design. This flaw allows non-admin users to tamper with system binaries, which could lead to the loss of confidentiality, integrity, and availability within operational technology (OT) environments. 
 
Easergy Studio: Versions 9.3.1 and prior of this software suite, used for configuring, commissioning, maintaining, and diagnosing protection relays and substation automation devices within electrical networks, are also affected. Easergy Studio primarily supports Easergy and MiCOM protection relays, which are employed in industrial and utility power systems.  
 
High-Level Scenario 
 
The following three threat scenarios outline how an internal or external adversary could exploit vulnerabilities. 
 
In the first scenario, the threat actor is an internal adversary (insider threat). This can be a disgruntled employee or contractor with low-level user access within the organization who utilizes existing credentials to escalate privileges and deploy malicious payloads.  
 
In the second scenario, the threat actor is an external attacker, who enters with the help of a compromised user or a successful supply chain attack, and gains initial access via phishing, malware, or stolen credentials. They can then escalate privileges and use them to move laterally across OT networks.  
 
In the third scenario, an adversary with full control over the engineering workstation or HMI modifies HMI/SCADA configurations, potentially causing operational failures. They can also deploy ransomware, encrypt critical ICS files and demand payment, disrupt physical operations by sending malicious commands to PLCs or industrial robots, or exfiltrate sensitive OT data for corporate espionage or selling on dark web marketplaces. 
 

Remediation 
 
The remediation approach focuses on understanding and mitigating the vulnerabilities in Schneider Electric’s software. The assessment considers the risk of privilege escalation, the impact on critical infrastructure, and best practices for securing operational technology (OT) systems.  
 
To limit authenticated user access to the workstation running vulnerable applications, it is essential to implement existing User Account Control practices. Additionally, removing the write permissions for "Everyone" on the folder "C:\Program Files (x86)\Schneider Electric\Vijeo-Designer 6.3\Vijeo-Runtime" is recommended. 
 
Minimizing network exposure for all control system devices and systems is crucial, ensuring they are not accessible from the internet. Vulnerable control system networks and remote devices should be located behind firewalls and isolated from business networks. When remote access is required, more secure methods, such as Virtual Private Networks (VPNs), should be used. 
 
Version V6.3 SP1 of Vijeo Designer includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application. Similarly, version 9.3.4 and later of Easergy Studio includes a fix for this vulnerability, which was released in December 2022. Schneider Electric recommends using the latest available version. 
 
For organizations unable to apply the update immediately, Schneider Electric recommends restricting user access to workstations running vulnerable applications, removing unnecessary write permissions to sensitive folders, and implementing standard OT cybersecurity practices, such as firewall segmentation, strong access controls, and network hardening.

Conclusion 
 
The collaborative efforts demonstrate the importance of responsible disclosures in securing critical infrastructure. By adhering to advisories, implementing updates, and leveraging expert insights, organizations can build a more resilient cyber defense posture. 
 
To achieve this, several mitigation strategies can be employed. 

• First, it is crucial to apply patches and upgrade systems immediately to address vulnerabilities.  
• Restricting file permissions by removing write permissions from non-admin users helps to prevent unauthorized modifications.  
• Enabling User Account Control (UAC) is another essential step, as it prevents the execution of unverified binaries.  
• Monitoring system logs using Security Information and Event Management (SIEM) tools can detect privilege escalation attempts.  
• Lastly, implementing network segmentation is vital to prevent lateral movement into Industrial Control System (ICS) networks. 

References 

• CISA - https://www.cisa.gov/news-events/ics-advisories/icsa-25-014-02
• CISA - https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-04
• INCIBE-CERT - https://www.incibe.es/incibe-cert/alerta-temprana/avisos-sci/gestion-incorrecta-de-privilegios-en-vijeo-designer-de-schneider-electric
• Schneider Electric Security Notification - https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-254-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-254-01.pdf
• Schneider Electric Security Notification - https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-282-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-282-03.pdf
• Wall of Thanks - https://www.se.com/ww/en/work/support/cybersecurity/wall-of-thanks.jsp 

6/19/2025 9:22:00 AM