December 18, 2018
The NCCIC has updated this advisory with additional information on mitigation measures. NCCIC/ICS-CERT.
May 3, 2018
The NCCIC has updated this advisory with additional details on technical details, mitigation measures, and the NCCIC’s own recommendations. NCCIC/ICS-CERT.
April 17, 2018
The NCCIC has released an advisory on heap-based buffer overflow, improper restriction of operations within the bounds of a memory buffer, and open redirect vulnerabilities in Schneider Electric Floating License Manager. Multiple products and versions of the products are affected. Successful exploitation of these vulnerabilities could cause a denial of service, allow arbitrary execution of code with system level privileges, or send users to arbitrary websites.
The NCCIC/ICS-CERT has released an advisory on vulnerabilities in Schneider Electric InduSoft Web Studio and InTouch Machine Edition. InduSoft Web Studio v8.1 and prior versions and InTouch Machine Edition 2017 v8.1 and prior versions are affected. Successful exploitation of this vulnerability during tag, alarm, or event related actions could allow remote code execution that, under high privileges, could completely compromise the device.
The NCCIC has released an advisory on vulnerabilities in Schneider Electric Modicon Premium, Modicon Quantum, Modicon M340, and Modicon BMXNOR0200. All versions of these products are affected. Successful exploitation of these vulnerabilities could allow a remote unauthorized attacker access to the file transfer service on the device, which could result in arbitrary code execution or malicious firmware installation.
ICS-CERT has released an advisory on a Schneider Electric SoMove Software and DTM Software vulnerability. Numerous versions of this product are affected. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code. Schneider Electric has provided updates for the affected software packages. ICS-CERT also recommends a series of defensive measures to minimize the risk of exploitation of this vulnerability. ICS-CERT.
ICS-CERT has released an advisory on a Schneider Electric IGSS Mobile vulnerability. All versions including and prior to 3.01 of IGSS Mobile for Android and IGSS Mobile for iOS are affected. Successful exploitation of these vulnerabilities could allow an attacker to execute a man-in-the-middle attack. In addition, passwords can be accessed by unauthorized users. An update for Android with the fix for these vulnerabilities is available for download on Google Play.
ICS-CERT has released an advisory on a Schneider Electric IGSS SCADA Software vulnerability. IGSS SCADA Software V12 and all previous versions are affected. Successful exploitation of this vulnerability could cause the device the attacker is accessing to crash or execute arbitrary code. Schneider Electric has provided IGSS SCADA Software V13 to address this vulnerability. ICS-CERT also recommends a series of defensive measures to minimize the risk of exploitation of this vulnerability.
ICS-CERT has released an advisory on a Schneider Electric Pelco VideoXpert Enterprise vulnerability. All versions prior to 2.1 are affected. Successful exploitation of these vulnerabilities may allow an authorized user to gain system privileges or an unauthorized user to view files. Schneider Electric has released firmware Version 2.1 for VideoXpert to address these vulnerabilities. ICS-CERT also recommends a series of defensive measures to minimize the risk of exploitation of this vulnerability.
ICS-CERT has released an advisory on a Schneider Electric InduSoft Web Studio and InTouch Machine Edition vulnerability. For InduSoft Web Studio, v8.0 SP2 Patch 1 and prior versions are affected; for InTouch Machine Edition, v8.0 SP2 Patch 1 and prior versions are affected. Successful exploitation of this vulnerability could allow a remote un-authenticated attacker to remotely execute code with high privileges. For both products, Schneider Electric recommends users upgrade to v8.1 as soon as possible.
ICS-CERT has released an advisory on a vulnerability in Schneider Electric InduSoft Web Studio, InTouch Machine Edition. InduSoft Web Studio v8.0 SP2 or prior and InTouch Machine Edition v8.0 SP2 or prior are affected. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary commands with high privileges. Schneider Electric recommends users using InduSoft Web Studio v8.0 SP2 or prior should upgrade and apply InduSoft Web Studio v8.0 SP2 Patch 1 as soon as possible.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
