Schneider Electric has issued urgent security advisories for multiple critical vulnerabilities affecting its Power Logic products, which could allow attackers to execute arbitrary code, cause denial-of-service conditions, or gain unauthorized access to industrial control systems. These flaws (CVE-2024-10497 and CVE-2024-10498) pose significant risks to operational technology (OT) environments and require immediate remediation.

Overview of the Vulnerabilities

The vulnerabilities impact Schneider Electric's Power Logic series, including:
- PowerLogic ION9000 series power meters
- PowerLogic PM8000 series power meters
- PowerLogic EGX100/300/500 gateways

CVE-2024-10497 (CVSS 9.8 - Critical):
- A remote code execution vulnerability in the web interface
- Allows unauthenticated attackers to execute arbitrary commands
- Exploitable via specially crafted HTTP requests

CVE-2024-10498 (CVSS 8.8 - High):
- A buffer overflow vulnerability in the firmware
- Could lead to denial-of-service or potential code execution
- Requires network access to exploit

Impact on Industrial Environments

These vulnerabilities are particularly concerning because:
- Power Logic devices are widely deployed in critical infrastructure
- Successful exploitation could disrupt power monitoring and management
- Attackers could manipulate energy data or disable protective functions
- Compromised devices could serve as entry points to broader OT networks

Affected Products and Firmware Versions

Product Series Vulnerable Firmware Versions Patched Versions
ION9000 All versions before v2.040 v2.040 and later
PM8000 All versions before v3.121 v3.121 and later
EGX100/300/500 All versions before v1.90 v1.90 and later

Schneider Electric recommends the following immediate actions:

  1. Apply firmware updates immediately
    - Download patches from Schneider Electric's security portal
    - Follow strict change management procedures for OT environments

  2. Network segmentation
    - Isolate Power Logic devices in dedicated VLANs
    - Implement firewall rules to restrict access

  3. Access controls
    - Disable unnecessary web interfaces if possible
    - Implement strong authentication mechanisms

  4. Monitoring
    - Deploy network monitoring for anomalous traffic patterns
    - Enable logging and review logs regularly

Long-Term Security Considerations

For organizations using industrial control systems:
- Establish a regular patch management program for OT assets
- Conduct periodic vulnerability assessments
- Implement defense-in-depth strategies
- Train personnel on ICS security best practices

Disclosure Timeline

  • 2023-11-15: Vulnerabilities reported to Schneider Electric
  • 2024-01-10: Vendor acknowledges and begins investigation
  • 2024-02-15: Patches developed and verified
  • 2024-03-05: Public disclosure coordinated with ICS-CERT

Additional Resources

Organizations can find more information at:
- Schneider Electric Security Notification
- ICS-CERT Advisory
- NVD Entries for CVE-2024-10497/10498

Conclusion

These critical vulnerabilities in Schneider Electric Power Logic products underscore the growing cybersecurity challenges facing industrial environments. Organizations must prioritize patching these systems and reviewing their overall ICS security posture to prevent potential disruptions to critical operations.