Schneider Electric IIoT Monitor (Update A) (ICSA-19-008-02) – Product Used in the Energy Sector

January 15, 2019

The NCCIC has updated this advisory with information on the nature of the vulnerabilities. Read the full advisory at NCCIC/ICS-CERT.

January 8, 2019

The NCCIC has published an advisory on path traversal, unrestricted upload of file with dangerous type, and XXE vulnerabilities in Schneider Electric IIoT Monitor. Versions 3.1.38 and prior are affected. Successful exploitation of these vulnerabilities could allow a remote attacker to access files available to system users, arbitrarily upload and execute malicious files, and embed incorrect documents into the system output to expose restricted information. Schneider Electric recommends that affected users contact Schneider Electric customer support for assistance in migrating to the latest software to resolve the issues and has released a security notification. The NCCIC also advises on a series of mitigating measures for these vulnerabilities. NCCIC/ICS-CERT.