Impact-Company-Logo-English Black-01-177x54

Welcome to the Schneider Electric corporate Website

Important message to Schneider Electric mobile application users

Recommended cybersecurity best practices

Stay informed about the latest security notifications

2024/11/12 ​​PowerLogic PM5300 Series​ CVE-2024-9409 CWE-400: An Uncontrolled Resource Consumption • PowerLogic PM5320
• PowerLogic PM5340 
• PowerLogic PM5341 
See Security Notification for specific product versions affected.
SEVD-2024-317-01 PDF SEVD-2024-317-01 CSAF
2024/11/12 ​​Modicon Controllers M340 / Momentum / MC80​ CVE-2024-8933
CVE-2024-8935
• CWE-290: Authentication Bypass by Spoofing
• CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
• Modicon M340 CPU (part numbers BMXP34*)
• Modicon MC80 (part numbers BMKC80) 
• Modicon Momentum Unity M1E Processor (171CBU*)
See Security Notification for specific product versions affected.
SEVD-2024-317-02 PDF SEVD-2024-317-02 CSAF
2024/11/12 ​​Modicon Controllers M340 / Momentum / MC80 ​ CVE-2024-8936
CVE-2024-8937
CVE-2024-8938
• CWE-20: Improper Input Validation
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-119: Improper Restriction of Operations
• Modicon M340 CPU (part numbers BMXP34*)
• Modicon MC80 (part numbers BMKC80) 
• Modicon Momentum Unity M1E Processor (171CBU*)
See Security Notification for specific product versions affected.
SEVD-2024-317-03 PDF SEVD-2024-317-03 CSAF
2024/11/12 ​EcoStruxure™ IT Gateway CVE-2024-10575 CWE-862: Missing Authorization EcoStruxure™ IT Gateway (Versions 1.21.0.6, 1.22.0.3, 1.22.1.5, 1.23.0.4) SEVD-2024-317-04 PDF SEVD-2024-317-04 CSAF
2024/11/12 BadAlloc Vulnerabilities CVE-2020-28895
CVE-2020-35198
CVE-2021-22156
Schneider Electric is aware of multiple memory allocation vulnerabilities dubbed ‘BadAlloc’, disclosed by Microsoft on April 29, 2021. The impact of a successful exploitation of the vulnerabilities may result in denial of service, or remote code execution, depending on the context. See Security Notification for offer specific information. SEVD-2021-313-05 (V24.0) PDF SEVD-2021-313-05 (V24.0) CSAF
2024/11/12 PowerLogic PM55xx and PowerLogic PM8ECC CVE-2021-22763
CVE-2021-22764
• CWE-640: Weak Password Recovery Mechanism for Forgotten Password
• CWE-287: Improper Authentication
• PM5560
• PM5561
• PM5562
• PM5563
• PM8ECC 
See Security Notification for specific product versions affected.
SEVD-2021-159-02 (V2.0) PDF SEVD-2021-159-02 (V2.0) CSAF
2024/10/8 ​​Data Center Expert​ CVE-2024-8531
CVE-2024-8530
• CWE-347: Improper Verification of Cryptographic Signature
• CWE-306: Missing Authentication for Critical Function 
Data Center Expert (Versions 8.1.1.3 and prior) SEVD-2024-282-01 PDF SEVD-2024-282-01 CSAF
2024/10/8 ​​Harmony iPC – HMIBSC IIoT Edge Box Core​ The third-party Yocto OS (v2.1 Krogoth) is used in the HMIBSC offer. It is known to contain multiple high and critical risk vulnerabilities. Schneider Electric cannot update the OS on the HMIBSC due to its hardware limitations and cannot provide further security updates to our customers. • Harmony iPC – HMIBSC IIoT Edge Box Core
• HMIBSCEA53D1L0T 
• HMIBSCEA53D1L0A  
• HMIBSCEA53D1L01
• HMIBSCEA53D1LSE 
• HMIBSCEA53D1LSU
See Security Notification for specific product versions affected.
SEVD-2024-282-02 PDF SEVD-2024-282-02 CSAF
2024/10/8 ​​Easergy Studio​ CVE-2024-9002 CWE-269: Improper Privilege Management Easergy Studio (Versions 9.3.1 and prior) SEVD-2024-282-03 PDF SEVD-2024-282-03 CSAF
2024/10/8 ​EVlink Home Smart and Schneider Charge​ CVE-2024-8070 CWE-312: Cleartext Storage of Sensitive Information • EVlink Home Smart (All versions prior to 2.0.6.0.0)
• Schneider Charge (All versions prior to 1.13.4)
SEVD-2024-282-04 PDF SEVD-2024-282-04 CSAF
2024/10/8 EcoStruxure™ Power Monitoring Expert (PME) CVE-2024-9005 CWE-502: Deserialization of Untrusted Data EcoStruxure™ Power Monitoring Expert (PME) (Version 2022 and prior) SEVD-2024-282-05 PDF SEVD-2024-282-05 CSAF
2024/10/8 ​​Zelio Soft 2​ CVE-2024-8422
CVE-2024-8518
• CWE-416: Use After Free
• CWE-20: Improper Input Validation
​​Zelio Soft 2​ (Versions prior to 5.4.2.2) SEVD-2024-282-06 PDF SEVD-2024-282-06 CSAF
2024/10/8 System Monitor Application in Harmony and Pro-face PS5000 Legacy Industrial PCs CVE-2024-8884 CWE-200: Information Exposure • System Monitor application in Harmony Industrial PC HMIBMO/HMIBMI/HMIPSO/HMIBMP/HMIBMU/HMIPSP/HMIPEP series (All versions)
• System Monitor application in Pro-face Industrial PC PS5000 series  (All versions)
SEVD-2024-282-07 PDF SEVD-2024-282-07 CSAF
2024/10/8 EcoStruxure EV Charging Expert The third-party Yocto Krogoth 2.1 Operating System is used in the EcoStruxure EV Charging Expert product. It is known to contain multiple high and critical severity vulnerabilities. EcoStruxure EV Charging Expert (All versions prior to V6.0.0) SEVD-2024-282-08 PDF SEVD-2024-282-08 CSAF
2024/10/8 Modicon M340 Controller and Communication Modules CVE-2022-0222 CWE-269: Improper Privilege Management Modicon M340 CPUs (BMXP34* versions prior to v3.50)
Modicon M340 X80 Ethernet Communication modules (BMXNOE0100 (H) versions prior to SV03.50 BMXNOE0110 (H) versions prior to SV06.70 BMXNOR* versions prior to v1.7 IR24)
SEVD-2022-102-02 (V3.1) PDF SEVD-2022-102-02 (V3.1) CSAF
2024/9/10 ​​Vijeo Designer ​ CVE-2024-6918 CWE-269: Improper Privilege Management  • Vijeo Designer (Versions prior to V6.3 SP1 ) 
• Vijeo Designer embedded in EcoStruxure™ Machine Expert  (All versions)
SEVD-2024-254-01 PDF SEVD-2024-254-01 CSAF
2024/9/10 ​​EcoStruxure™ Power Monitoring Expert and EcoStruxure™ Power Operation or EcoStruxure™ Power SCADA Operation with Advanced Reporting and Dashboards​ CVE-2024-8401 CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) • EcoStruxure™ Power Monitoring Expert (PME) 2021
• EcoStruxure™ Power Monitoring Expert (PME) 2020
• EcoStruxure™ Power Operation (EPO) 2022
• EcoStruxure™ Power Operation (EPO) 2022 – Advanced Reporting and Dashboards Module
• EcoStruxure™ Power Operation (EPO) 2021
• EcoStruxure™ Power Operation (EPO) 2021 – Advanced Reporting and Dashboards Modul
• EcoStruxure™ Power SCADA Operation 2020 (PSO) - Advanced Reporting and Dashboards Module 
See Security Notification for specific product versions affected.
SEVD-2024-254-02 PDF SEVD-2024-254-02 CSAF
2024/9/10 PowerLogic P5 CVE-2024-5559 CWE-327: Use of a Broken or Risky Cryptographic Algorithm PowerLogic P5 (v01.500.104 and prior) SEVD-2024-163-02 (V1.2) PDF SEVD-2024-163-02 (V1.2) CSAF
2024/9/10 EcoStruxure™ Power Monitoring Expert CVE-2023-28003 CWE-613: Insufficient Session Expiration • EcoStruxure™ Power Monitoring Expert 2022
• EcoStruxure™ Power Operation (EPO)
See Security Notification for specific product versions affected.
SEVD-2023-073-01 (V3.0) PDF SEVD-2023-073-01 (V3.0) CSAF
2024/08/13 Accutech Manager CVE-2024-6918 CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Accutech Manager (Versions 2.8.0.0 and prior) SEVD-2024-226-01 PDF SEVD-2024-226-01 CSAF
2024/08/13 ​​EcoStruxure™ Machine SCADA Expert / BLUE Open Studio​ Schneider Electric is aware of a vulnerability disclosed on AVEVA component used in ​EcoStruxure™ Machine SCADA Expert and BLUE Open Studio​ products. • EcoStruxure™ Machine SCADA Expert (Version prior to 2020 SP3 HF1) 
• Pro-face BLUE Open Studio (Version prior to 2020 SP3 HF1)
SEVD-2024-226-02 PDF SEVD-2024-226-02 CSAF
2024/08/13 Modicon Controllers M241/ M251, M258 / LMC058 and M262 CVE-2024-6528 CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') • Modicon Controllers M241 / M251 (Version prior to v5.2.11.24)
• Modicon Controllers M258 / LMC058 (All versions)
• Modicon Controllers M262 (Versions prior to v5.2.8.26)
SEVD-2024-191-04 (V3.0) PDF SEVD-2024-191-04 (V3.0) CSAF
2024/08/13 ​​​EcoStruxure™ Control Expert, EcoStruxure™ Process Expert ​and Modicon M340, M580 and M580 Safety PLCs​​​ CVE-2023-6408
CVE-2023-6409
CVE-2023-27975
• CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
• CWE-798: Use of Hard-coded Credentials
• CWE-522: Insufficiently Protected Credentials
• Modicon M340 CPU (part numbers BMXP34*)
• Modicon M580 CPU (part numbers BMEP* and BMEH*, excluding M580 CPU Safety)
• Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)
• Modicon MC80 (part numbers BMKC80)
• Modicon Momentum Unity M1E Processor (171CBU*)
• EcoStruxure™ Control Expert
• EcoStruxure™ Process Expert
See Security Notification for specific product versions affected.
SEVD-2024-044-01 (V2.0) PDF SEVD-2024-044-01 (V2.0) CSAF
2024/08/13 ​​EcoStruxure™ OPC UA Server Expert, Modicon Communication Server​ CVE-2023-37200 CWE-611: Improper Restriction of XML External Entity Reference • EcoStruxure™ OPC UA Server Expert (Versions prior to SV2.01 SP2) SEVD-2023-192-02 (V2.0) PDF SEVD-2023-192-02 (V2.0) CSAF
2024/08/13 Modicon PLCs (Programmable Logic Controllers) and PACs (Programmable Automation Controllers) CVE-2023-25619
CVE-2023-25620
CWE-754: Improper Check for Unusual or Exceptional Conditions • Modicon M340 CPU (part numbers BMXP34*)
• Modicon M580 CPU (part numbers BMEP* and BMEH*)
• Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)
• Modicon Momentum Unity M1E Processor (171CBU*)
• Modicon MC80 (BMKC80)
• Legacy Modicon Quantum (140CPU65*)
• Legacy Modicon Premium CPUs (TSXP57*)
See Security Notification for specific product versions affected.
SEVD-2023-101-05 (V4.0) PDF SEVD-2023-101-05 (V4.0) CSAF
2024/08/13 EcoStruxure™ Control Expert, EcoStruxure™ Process Expert and Modicon M340, M580 and M580 CPU Safety CVE-2022-45789 CWE-294: Authentication Bypass by Capture-replay vulnerability. • EcoStruxure™ Control Expert
• EcoStruxure™ Process Expert
• Modicon M340 CPU (part numbers BMXP34*)
• Modicon M580 CPU (part numbers BMEP* and BMEH*)
• Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)
• Modicon Momentum Unity M1E Processor (171CBU*)
• Modicon MC80 (BMKC80)
See Security Notification for specific product versions affected.
SEVD-2023-010-06 (V5.0) PDF SEVD-2023-010-06 (V5.0) CSAF
2024/08/13 EcoStruxure™ Control Expert, EcoStruxure™ Process Expert and Modicon PLCs (Programmable Logic Controllers) and PACs (Programmable Automation Controllers) CVE-2022-45788 CWE-754: Improper Check for Unusual or Exceptional Conditions • Modicon Controllers M241 / M251
• Modicon Controllers M258 / LMC058
• Modicon Controllers M262
See Security Notification for specific product versions affected.
SEVD-2023-010-05 (V6.0) PDF SEVD-2023-010-05 (V6.0) CSAF
2024/08/13 Modicon PAC Controllers CVE-2021-22786 CWE-200: Information Exposure • Modicon M340 CPU (part numbers BMXP34*)
• Modicon M580 CPU (part numbers BMEP* and BMEH*)
• Modicon MC80 (BMKC80)
• Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)
• Modicon Momentum MDI (171CBU*)
• Legacy Modicon Quantum
See Security Notification for specific product versions affected.
SEVD-2022-221-04 (V5.0) PDF SEVD-2022-221-04 (V5.0)
2024/08/13 Modicon PAC Controllers CVE-2022-37301 CWE-191: Integer Underflow (Wrap or Wraparound) • Modicon M340 CPU (part numbers BMXP34*)
• Modicon M580 CPU (part numbers BMEP* and BMEH*)
• Modicon M580 CPU Safety (part numbers BMEP584040S and BMEP586040S)
• Legacy Modicon Quantum/Premium
• Modicon Momentum MDI (171CBU*)
See Security Notification for specific product versions affected.
SEVD-2022-221-02 (V5.0) PDF SEVD-2022-221-02 (V5.0) CSAF
2024/08/13 EcoStruxure™ Control Expert, EcoStruxure™ Process Expert, and Modicon Controllers M580 and M340 CVE-2022-37300 CWE-640: Weak Password Recovery Mechanism for Forgotten Password • EcoStruxure™ Control Expert Including all Unity Pro versions (former name of EcoStruxure™ Control Expert)
• EcoStruxure™ Process Expert, Including all versions of EcoStruxure™ Hybrid DCS (former name of EcoStruxure™ Process Expert)
• Modicon M340 CPU
• Modicon M580 CPU
• Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)
See Security Notification for specific product versions affected.
SEVD-2022-221-01 (V5.0) PDF SEVD-2022-221-01 (V5.0) CSAF
2024/08/13 Modicon PAC Controllers and PLC Simulator for EcoStruxure™ Control Expert and EcoStruxure™ Process Expert CVE-2021-22789
CVE-2021-22790
CVE-2021-22791
CVE-2021-22792
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-125: Out-of-Bounds Read
• CWE-476: NULL Pointer Dereference
• CWE-787: Out-of-Bounds Write
• Modicon M580 CPU (part numbers BMEP* and BMEH*)
• Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)
• Modicon M340 CPU (part numbers BMXP34*)
• Modicon MC80 (part numbers BMKC80*)
• Modicon Momentum Ethernet CPU (part numbers 171CBU*)
• PLC Simulator for EcoStruxure™ Control Expert, including all Unity Pro versions
• PLC Simulator for EcoStruxure™ Process Expert including all HDCS versions
• Modicon Quantum CPU (part numbers 140CPU*) br/>• Modicon Premium CPU (part numbers TSXP5*)
See Security Notification for specific product versions affected.
SEVD-2021-222-04 (V7.0) PDF SEVD-2021-222-04 (V7.0) CSAF
2024/08/13 EcoStruxure™ Control Expert, EcoStruxure™ Process Expert, SCADAPack RemoteConnect™ x70, and Modicon Controllers M580 and M340 CVE-2021-22778
CVE-2021-22779
CVE-2021-22780
CVE-2021-22781
CVE-2021-22782
CVE-2020-12525
• CWE-311: Missing Encryption of Sensitive Data
• CWE-522: Insufficiently Protected Credentials
• EcoStruxure™ Control Expert
• EcoStruxure™ Process Expert
• SCADAPack RemoteConnect™ for x70
• Modicon M580 CPU (part numbers BMEP* and BMEH*)
• Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)
• Modicon M340 CPU (part numbers BMXP34*)
See Security Notification for specific product versions affected.
SEVD-2021-194-01 (V9.0) PDF SEVD-2021-194-01 (V9.0) CSAF
2024/08/13 Modicon Controllers ​CVE-2019-6841
​CVE-2019-6842​
CVE-2019-6843
CVE-2019-6844​
CVE-2019-6846 ​
CVE-2019-6847​
​• CWE-319: Cleartext Transmission of Sensitive Information ​
• CWE-755: Improper Handling of Exceptional Conditions
• Modicon M580 (part numbers BMEP* & BMEH*, excluding M580 CPU Safety)
• Modicon M580 CPU Safety (part numbers BMEP58*S & BMEH58*S)
• Modicon M340
• Modicon BMxCRA and 140CRA modules
See Security Notification for specific product versions affected.
SEVD-2019-281-02 (V7.0) PDF SEVD-2019-281-02 (V7.0) CSAF
2024/08/13 Embedded FTP Servers for Modicon PAC Controllers CVE-2018-7240
CVE-2018-7241
CVE-2018-7242
​• CWE-327: Use of a Broken or Risky Cryptographic Algorithm ​
• CWE-522: Insufficiently Protected Credentials
​• CWE-798: Use of Hard-coded Credentials
• Modicon M340
• Modicon M580
• Modicon M580 CPU Safety Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)
• Modicon BMxCRA and 140CRA modules
See Security Notification for specific product versions affected.
SEVD-2018-081-01 (V9.0) PDF SEVD-2018-081-01 (V9.0)
2024/03/12* ISaGRAF Vulnerabilities in IEC 61131-3 Programming and Engineering Tools CVE-2020-25176
CVE-2020-25178
CVE-2020-25182
CVE-2020-25184
CVE-2020-25180
Schneider Electric is aware of multiple vulnerabilities in ISaGRAF Workbench and ISaGRAF Runtime products. • Easergy T300
• Easergy C5
• MiCOM C264
• PACiS GTW
• EPAS GTW
• SCADAPack 300E RTU
• SCADAPack 53xE RTU
• SCADAPack Workbench
• SCD2200 Firmware for CP-3/MC-31
• SAGE RTU (C3414 CPU, C3413 CPU, C3412 CPU)
• Talus T4e Mk 1 (A18.xx Firmware (all)) T4e Mk II and T4c (A19.08 Firmware and prior)
See Security Notification for specific product versions affected.
SEVD-2021-159-04 (V7.0) PDF SEVD-2021-159-04 (V7.0) CSAF
2024/7/9 ​​Wiser Home Controller WHC-5918A​ ​CVE-2024-6407​ CWE-200: Information Exposure  Wiser Home Controller WHC-5918A SEVD-2024-191-01 PDF SEVD-2024-191-01 CSAF
2024/7/9 ​​​EcoStruxure™ Foxboro DCS Core Control Services​​ • CVE-2024-5679​
• ​​CVE-2024-5680
• ​​CVE-2024-5681
• ​​CWE-20: Improper Input Validation
• ​​CWE-129: Improper Validation of Array Index 
• CWE-787: Out-of-Bounds Write 
EcoStruxure™ Foxboro DCS Core Control Services (Versions 9.8 and prior) SEVD-2024-191-02 PDF SEVD-2024-191-02 CSAF
2024/7/9 ​​EcoStruxure™ Foxboro SCADA FoxRTU Station​ CVE-2024-2602 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') FoxRTU Station (All versions prior to v9.3.0) SEVD-2024-191-03 PDF SEVD-2024-191-03 CSAF
2024/7/9 Sage RTU • CVE-2024-5560
• CVE-2024-37036
• CVE-2024-37037
• CVE-2024-37038
• CVE-2024-37039
• CVE-2024-37040
• CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 
• CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
• CWE-125: Out-of-bounds Read
• CWE-252: Unchecked Return Value • CWE-276: Incorrect Default Permissions
• CWE-787: Out-of-bounds Write
• Sage 1410 (Versions C3414-500-S02K5_P8 and prior) 
• Sage 1430 (Versions C3414-500-S02K5_P8 and prior)
• Sage 1450 (Versions C3414-500-S02K5_P8 and prior) 
• Sage 2400 (Versions C3414-500-S02K5_P8 and prior)
• Sage 3030 Magnum (Versions C3414-500-S02K5_P8 and prior)
• Sage 4400 (Versions C3414-500-S02K5_P8 and prior)
SEVD-2024-163-05 (V2.0) PDF SEVD-2024-163-05 (V2.0) CSAF
2024/7/9 Modicon Controllers • CVE-2018-7842
• CVE-2018-7843
• CVE-2018-7844
• CVE-2018-7845
• CVE-2018-7846
• CVE-2018-7847
• CVE-2018-7848
• CVE-2018-7849
• CVE-2018-7850
• CVE-2018-7852
• CVE-2018-7853
• CVE-2018-7854
• CVE-2018-7855
• CVE-2018-7856
• CVE-2018-7857
• CVE-2019-6806
• CVE-2019-6807
• CVE-2019-6808
• CVE-2019-6809
• CVE-2019-6828
• CVE-2019-6829
• CVE-2019-6830
• CWE-125: Out-of-bounds Read
• CWE-200: Information Exposure
• CWE-248: Uncaught Exception
• CWE-284: Improper Access Control
• CWE-290: Authentication Bypass by Spoofing
• CWE-501: Trust Boundary Violation
• CWE-807: Reliance on Untrusted Inputs in a Security Decision
• Modicon M340
• Modicon M580
• Modicon MC80
• Modicon Momentum Unity M1E Processor (part numbers 171CBU*)
• Modicon Premium
• Modicon Quantum
• PLC Simulator for EcoStruxure™ Control Expert
See Security Notification for specific product versions affected.
SEVD-2019-134-11 (V11.0) PDF SEVD-2019-134-11 (V11.0) CSAF
2024/06/11 Modicon M340 and BMXNOE0100 and BMXNOE0110 CVE-2024-5056 CWE-552: Files or Directories Accessible to External Parties • Modicon M340 (All Versions)
• Network module, Modicon M340, Modbus/TCP BMXNOE0100 (All Versions)
• Network module, Modicon M340, Ethernet TCP/IP BMXNOE0110 (All Versions)
SEVD-2024-163-01 PDF SEVD-2024-163-01 CSAF
2024/06/11 EVlink Home Smart CVE-2024-5313 CWE-668: Exposure of the Resource Wrong Sphere EVlink Home Smart (v2.0.4.1.2_131, v2.0.3.8.2_128) SEVD-2024-163-03 PDF SEVD-2024-163-03 CSAF
2024/06/11 ​​SpaceLogic AS-P​ and AS-B Automation Servers • CVE-2024-5558
• CVE-2024-5557 
• CVE-2024-5558
• CVE-2024-5557
• SpaceLogic AS-P (v5.0.3 and prior)
• SpaceLogic AS-B (v5.0.3 and prior)
SEVD-2024-163-04 PDF SEVD-2024-163-04 CSAF
2024/06/11 CODESYS Runtime Vulnerabilities Schneider Electric is aware of ​multiple vulnerabilities​ disclosed on ​CODESYS runtime system V3 communication server​. • Easy Harmony HMIET6/HMIFT6
• Easy Modicon M310
• HMISCU Controller
• Harmony (Formerly Magelis) HMIGK/HMIGTO/HMIGTU/HMIGTUX/HMISTU series, iPC series with Vijeo Designer runtime
• Magelis HMIGXU, XBT series
• Modicon Controller LMC058
• Modicon Controller LMC078
• Modicon Controller M218
• Modicon Controller M241
• Modicon Controller M251
• Modicon Controller M258
• Modicon Controller M262
• PacDrive 3 Controllers: LMC Eco/Pro/Pro2
• SoftSPS embedded in EcoStruxure™ Machine Expert
• Vijeo Designer embedded in EcoStruxure™ Machine Expert
See Security Notification for specific product versions affected.
SEVD-2023-192-04 (V6.0) PDF SEVD-2023-192-04 (V6.0) CSAF
2024/06/11 Easy UPS Online Monitoring Software • CVE-2023-29411
• CVE-2023-29412
• CVE-2023-29413
• CWE-306: Missing Authentication for Critical Function
• CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
• CWE-306: Missing Authentication for Critical Function
• APC Easy UPS Online Monitoring Software (v2.5-GA-01-22320 and prior (Windows 10, 11 Windows Server 2016, 2019, 2022))
• Schneider Electric Easy UPS Online Monitoring Software* (v2.5-GS-01-22320 and prior (Windows 10, 11 Windows Server 2016, 2019, 2022))
*Known as Schneider SP Series UPS Monitoring Software in China.
SEVD-2023-101-04 (V4.0) PDF SEVD-2023-101-04 (V4.0) CSAF
2024/04/09 ​Easergy Studio​ CVE-2024-2747 CWE-428: Unquoted search path or element vulnerability Easergy Studio (Easergy Studio v9.3.3 and prior) SEVD-2024-​100-01 PDF SEVD-2024-​100-01 CSAF
2024/04/09 Trio™ Licensed and License-free Data Radios CVE-2023-5629​
CVE-2023-5630
CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability
CWE-494: Download of Code Without Integrity Check vulnerability
• Trio Q-Series Ethernet Data Radio
• Trio E-Series Ethernet Data Radio
• Trio J-Series Ethernet Data Radio
See Security Notification for specific product versions affected.
SEVD-2023-346-01 (V2.0) PDF SEVD-2023-346-01 (V2.0) CSAF
2024/04/09 Galaxy VS and Galaxy VL​ CVE-2023-6032​ CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability • Galaxy VS (v12.21)
• Galaxy VL (v6.82)
SEVD-2023-318-03 (V2.0) PDF SEVD-2023-318-03 (V2.0) CSAF
2024/03/12 ​Easergy T200 CVE-2024-2050
CVE-2024-2051
CVE-2024-2052
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-307: Improper Restriction of Excessive Authentication Attempts
CWE-552: Files or Directories Accessible to External Parties 
• Easergy T200 Models: T200I, T200E, T200P, T200S, T200H (Modbus) (Version SC2-04MOD-07000104 and prior)
• Easergy T200 Models: T200I, T200E, T200P, T200S, T200H (IEC104) (Version SC2-04IEC-07000104 and prior)
• Easergy T200 Models: T200I, T200E, T200P, T200S, T200H (DNP3) (Version SC2-04DNP-07000104 and prior)
SEVD-2024-​072-01 (PDF) SEVD-2024-​072-01 (CSAF)
2024/03/12 EcoStruxure Power Design - Ecodial CVE-2024-2229 CWE-502: Deserialization of Untrusted Data •  EcoStruxure Power Design - Ecodial (Ecodial NL All Versions, Ecodial INT All Versions, Ecodial FR All Versions) SEVD-2024-​072-02 (PDF) SEVD-2024-​072-02 (CSAF)
2024/02/13 ​​EcoStruxure™ Control Expert, EcoStruxure™ Process Expert ​and Modicon M340, M580 and M580 Safety PLCs CVE-2023-6408
CVE-2023-6409
CVE-2023-27975
CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
CWE-798: Use of Hard-coded Credentials
CWE-522: Insufficiently Protected Credentials
• Modicon M340 CPU (part numbers BMXP34*)
• Modicon M580 CPU (part numbers BMEP* and BMEH*, excluding M580 CPU Safety)
• Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)
• EcoStruxure™ Control Expert
• EcoStruxure™ Process Expert
See Security Notification for specific product versions affected.
SEVD-2024-​044-01 (PDF) SEVD-2024-​044-01 (CSAF)
2024/02/13 ​​Harmony Relay NFC​ ​CVE-2024-0568​ CWE-287: Improper Authentication • Harmony Control Relay RMNF22TB30 (All versions)
• Harmony Timer Relay RENF22R2MMW (All versions)
SEVD-2024-​044-02 (PDF) SEVD-2024-​044-02 (CSAF)
2024/02/13 ​​EcoStruxure IT Gateway​ CVE-2024-0865 CWE-798: Use of hard-coded credentials • EcoStruxure IT Gateway (1.20.x and prior) SEVD-2024-​044-03 (PDF) SEVD-2024-​044-03 (CSAF)
2024/02/01 Sustainability Business Division of Schneider Electric Responds to Cybersecurity Incident N/A On January 17th, 2024, a ransomware incident affected Schneider Electric Sustainability Business division. N/A Cybersecurity Incident Announcement
2024/01/09 ​​Easergy Studio​ CVE-2023-7032 CWE-502: Deserialization of untrusted data • Easergy Studio (Versions prior to v9.3.50) SEVD-2024-009-02 PDF SEVD-2024-009-02 CSAF
2024/01/09 EcoStruxure™ Control Expert CVE-2023-1548
CVE-2023-27976
CWE-668: Exposure of Resource to Wrong Sphere
CWE-269: Improper Privilege Management
• EcoStruxure™ Control Expert (Versions prior to V16.0) SEVD-2023-101-03 (V2.0) PDF SEVD-2023-101-03 (V2.0) CSAF
2024/01/09 CODESYS Runtime Vulnerabilities CVE-2022-4224
CVE-2023-28355
CVE-2022-4046
CWE-668: Exposure of Resource to Wrong Sphere • HMISCU Controller
• Modicon Controller M241
• Modicon Controller M251
• Modicon Controller M262
• Modicon Controller M258
• Modicon Controller LMC058
• Modicon Controller M218
• PacDrive 3 Controllers: LMC Eco/Pro/Pro2
• PacDrive Controller LMC078
See Security Notification for specific product versions affected.
SEVD-2023-101-01 (V2.0) PDF SEVD-2023-101-01 (V2.0) CSAF
2024/01/09 Harmony (formerly known as Magelis) HMI Panels CVE-2019-6833 CWE-754 – Improper Check for Unusual or Exceptional Conditions • Harmony/Magelis HMIGK series
• Harmony/Magelis HMIGTO series
• Harmony/Magelis HMISTO series (End of Commercialization)
• Harmony/Magelis) HMIGTU series
• Harmony/Magelis HMIGTUX series
• Harmony/Magelis HMIGXO series (End of Commercialization)
• Harmony/Magelis HMIGXU series
• Harmony/Magelis HMISCU series
• Harmony/Magelis HMISTU series
• Harmony/Magelis XBTGC series
• Harmony/Magelis XBTGH series
• Harmony/Magelis XBTGT series (End of Commercialization)
See Security Notification for specific product versions affected.
SEVD-2019-225-01 (V3.0) PDF SEVD-2019-225-01 (V3.0) CSAF
2023/12/12 ​​​Trio™ Licensed and License-free Data Radios​​ CVE-2023-5629​ 
CVE-2023-5630
CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability
CWE-494: Download of Code Without Integrity Check vulnerability
• Trio Q-Series Ethernet Data Radio (See security notification for specific versions)
• Trio E-Series Ethernet Data Radio (See security notification for specific versions)
• Trio J-Series Ethernet Data Radio (all versions)
2023/12/12 ProLeiT Plant iT/Brewmaxx​ Schneider Electric is aware of ​a vulnerability​ in Redis open-source database, affecting its ​Plant iT​ product. • Plant iT/Brewmaxx (v9.60 and above) SEVD-2023-346-02 (PDF) SEVD-2023-346-02 (CSAF)
2023/12/12 ​​Easy UPS Online Monitoring Software​ CVE-2023-6407 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability • Easy UPS Online Monitoring Software (2.6-GA-01-23116 and prior (Windows 10, 11, Windows Server 2016, 2019, 2022)) SEVD-2023-346-03 (PDF) SEVD-2023-346-03 (CSAF)
2023/12/12 ​​PowerLogic ION8650, PowerLogic ION8800​ CVE-2023-5984 ​
CVE-2023-5985
CWE-494 : Download of Code Without Integrity Check vulnerability
CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability
• ION8650 (all versions)
• ION8800 (all versions)
SEVD-2023-318-01 (V1.1) (PDF) SEVD-2023-318-01 (V1.1) (CSAF)
2023/11/14 ​​EcoStruxure Power Monitoring Expert and EcoStruxure™ Power Operation with Advanced Reporting and Dashboards Module CVE-2023-5986
CVE-2023-5987
CWE-601 URL Redirection to Untrusted Site vulnerability
CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability
• EcoStruxure™ Power Monitoring Expert (PME) (EcoStruxure™ Power Monitoring Expert (PME) 2021 prior to CU2, EcoStruxure™ Power Monitoring Expert (PME) 2020 prior to CU3)
• EcoStruxure™ Power Operation (EPO) – Advanced Reporting and Dashboards Module (Advanced Reporting and Dashboards Module 2021 prior to CU2 for EcoStruxure™ Power Operation 2021)
• EcoStruxure™ Power SCADA Operation (PSO) - Advanced Reporting and Dashboards Module (Advanced Reporting and Dashboards Module 2020 prior to CU3 EcoStruxure™ Power SCADA Operation (PSO) 2020 or 2020 R2)
SEVD-2023-318-02 (PDF) SEVD-2023-318-02 (CSAF)
2023/11/14 ​​Galaxy VS and Galaxy VL​ ​CVE-2023-6032​ CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability • Galaxy VS (v6.82)
• Galaxy VL (v12.21)
2023/10/10 SpaceLogic C-Bus Toolkit CVE-2023-5402
CVE-2023-5399
CWE-269: Improper Privilege Management vulnerability
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability
SpaceLogic C-Bus Toolkit (v1.16.2.2 and prior) SEVD-2023-283-01 PDF SEVD-2023-283-01 CSAF
2023/10/10 EcoStruxure Power Monitoring Expert and EcoStruxure™
Power Operation with Advanced Reports
CVE-2023-5391 CWE-502: Deserialization of untrusted data vulnerability EcoStruxure™ Power Monitoring Expert (PME) (All versions – prior to application of Hotfix-145271 ) EcoStruxure™ Power Operation with Advanced Reports (All versions – prior to application of Hotfix-145271)
EcoStruxure™ Power SCADA Operation with Advanced Reports (All versions – prior to application of Hotfix-145271 )
Note: Power SCADA Operation and Power Operation without Advanced Reports are not affected.
SEVD-2023-283-02 PDF SEVD-2023-283-02 CSAF
2023/09/12 ​​​IGSS (Interactive Graphical SCADA System)​​ CVE-2023-4516​ CWE-306: Missing Authentication for Critical Function vulnerability. IGSS Update Service
(IGSSupdateservice.exe) (v16.0.0.23211 and prior)
SEVD-2023-255-01 PDF SEVD-2023-255-01 CSAF
2023/08/08 ​​​Pro-face GP-Pro EX​​ CVE-2023-3953 CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability. • GP-Pro EX WinGP for iPC (v4.09.450 and prior)
• GP-Pro EX WinGP for PC/AT (v4.09.450 and prior)
SEVD-2023-220-01 PDF SEVD-2023-220-01 CSAF
2023/07/11 ​StruxureWare Data Center Expert CVE-2023-37196​, CVE-2023-37197​, CVE-2023-37198, CVE-2023-37199 CWE-89: Improper Neutralization of Special Elements, CWE-94: Improper Control of Generation of Code • StruxureWare Data Center Expert (now known as EcoStruxure™ IT Data Center Expert) (v7.9.3 and earlier) SEVD-2023-192-01 PDF SEVD-2023-192-01 CSAF
2023/07/11 ​​EcoStruxure™ OPC UA Server Expert​ CVE-2023-37200​ CWE-611: Improper Restriction of XML External Entity Reference • EcoStruxure™ OPC UA Server Expert (Versions prior to SV2.01 SP2)
2023/06/13 ​EcoStruxure™ Operator Terminal Expert and Pro-face BLUE • ​CVE-2023-1049 • CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability • EcoStruxure™ Operator Terminal Expert (v3.3 SP1 and prior)
• Pro-face BLUE (v3.3 SP1 and prior)
SEVD-2023-164-01 PDF SEVD-2023-164-01 CSAF
2023/06/13 ​​​IGSS (Interactive Graphical SCADA System)​​ • CVE-2023-3001 • CWE-502: Deserialization of Untrusted Data • IGSS Dashboard (DashBoard.exe) (v16.0.0.23130 and prior) SEVD-2023-164-02 PDF SEVD-2023-164-02 CSAF
2023/06/13 ​​Foxboro SCADA​ • Schneider Electric is aware of ​a vulnerability​ in the AVEVA™ InTouch component which is included as part of Foxboro SCADA product. • Foxboro SCADA (All versions) SEVD-2023-164-03 PDF SEVD-2023-164-03 CSAF
2023/06/13 EcoStruxure™ Foxboro DCS Control Core Services • CVE-2023-2569
• ​CVE-2023-2570
• CWE-787: Out-of-Bounds Write
• CWE-129: Improper Validation of Array Index
• EcoStruxure™ Foxboro DCS Control Core Services (All versions prior to patch HF98577958) SEVD-2023-164-04 PDF SEVD-2023-164-04 CSAF
2023/06/13 PowerLogic ION7400 / PM8000 / ION9000 Power Meters • CVE-2022-46680 • CWE-319: Cleartext transmission of sensitive information • PowerLogic ION9000, PowerLogic ION7400
• PowerLogic PM8000 (Prior to 4.0.0)
• PowerLogic ION8650 (All Versions)
• PowerLogic ION8800 (All Versions)
• Legacy ION products (All Versions)
SEVD-2023-129-03 PDF (V1.1) SEVD-2023-129-03 CSAF (V1.1)
2023/05/09 OPC Factory Server CVE-2023-2161 CWE-611: Improper Restriction of XML External Entity Reference • OPC Factory Server (OFS) (Version prior to V3.63SP2) SEVD-2023-129-01 PDF SEVD-2023-129-01 CSAF
2023/05/09 EcoStruxure™ Power Operation
EcoStruxure™ Power SCADA Operation
Schneider Electric is aware of ​multiple vulnerabilities​ in the AVEVA™ Plant SCADA product which is included as part of ​​EcoStruxure™ Power Operation, EcoStruxure™ Power SCADA Operation​ ​products. • EcoStruxure™ Power Operation (Version 2022, Versions 2021 CU3 and prior)
• EcoStruxure™ Power SCADA Operation (Versions 2020 R2 and prior)
SEVD-2023-129-02 PDF SEVD-2023-129-02 CSAF
2023/05/09 Power SCADA Anywhere Schneider Electric is aware of ​multiple vulnerabilities​ in the AVEVA™ Plant SCADA Access Anywhere which is an optional component of the EcoStruxureTM Power Operation or EcoStruxureTM Power SCADA Operation products. • EcoStruxureTM Power Operation or EcoStruxureTM Power SCADA Operation configured with Power SCADA Anywhere (Power SCADA Anywhere Versions 1.1 and 1.2) SEVD-2023-129-04 PDF SEVD-2023-129-04 CSAF
2023/05/09 NicheStack TCP/IP Vulnerabilities (INFRA:HALT) in Lexium ILE, ILA, ILS, and Communication Option Boards for Altivar and Lexium32 drives CVE-2021-31400, CVE-2021-31401, CVE-2020-35683, CVE-2020-35684, CVE-2020-35685 Schneider Electric is aware of multiple vulnerabilities in HCC Embedded’s NicheStack TCP/IP third party component, which is integrated into Schneider Electric’s Lexium ILE, ILA, ILS, Altivar Profinet Communication Module (VW3A3627), Altivar and Lexium Ethernet TCP/IP Communication Module (VW3A3616), and Altivar Profinet - Communication Card (VW3A3327) products. • Lexium ILE ILA ILS firmware version (V01.110 and prior) SEVD-2021-217-01 (V5.0) PDF SEVD-2021-217-01 (V5.0) CSAF
2023/04/26 ​​​KNX Publicly Available Exploit​​ Schneider Electric is aware of publicly available exploit affecting KNX home and building automation systems. The products used in these systems may come from a variety of different vendors, including Schneider Electric spaceLYnk, Wiser for KNX (formerly homeLYnk), and FellerLYnk products. • spaceLYnk
• Wiser for KNX (formerly homeLYnk)
• FellerLYnk
SESB-2023-01 PDF
2023/04/11 Conext™ Gateway/ InsightHome and InsightFacility CVE-2023-29410 CWE-20: Improper Input Validation • InsightHome (v1.16 Build 004 and prior)
• InsightFacility (v1.16 Build 004 and prior)
• Conext™ Gateway (Discontinued in 2019) (v1.16 Build 004 and prior)
SEVD-2023-101-02 PDF SEVD-2023-101-02 CSAF
2023/04/11 EcoStruxure™ Control Expert CVE-2023-1548, CVE-2023-27976 CWE-668: Exposure of Resource to Wrong Sphere, CWE-269: Improper Privilege Management • EcoStruxure™ Control Expert (Versions V15.1 and above)
2023/04/11 Modicon PLCs (Programmable Logic Controllers) and PACs (Programmable Automation Controllers) CVE-2023-25619, CVE-2023-25620 CWE-754: Improper Check for Unusual or Exceptional Conditions • Modicon M340 CPU (part numbers BMXP34*) (Versions prior to SV3.51)
• Modicon M580 CPU (part numbers BMEP* and BMEH*) (Versions prior to V4.10)
• Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) (All Versions)
• Modicon Momentum Unity M1E Processor (171CBU*) (All Versions)
• Legacy Modicon Quantum (140CPU65*) (All Versions)
• Legacy Modicon Premium CPUs (TSXP57*) (All Versions)
2023/04/11 Easergy Builder CVE-2022-34755 CWE-427 - Uncontrolled Search Path Element • Easergy Builder installer (Version 1.7.23 and older) SEVD-2023-101-06 PDF SEVD-2023-101-06 CSAF
2023/04/11 SCADAPack Workbench CVE-2022-0221 CWE-611: Improper Restriction of XML External Entity Reference • SCADAPack Workbench (Version 6.6.8a and prior) SEVD-2022-087-01 (V2.0) PDF SEVD-2022-087-01 (V2.0) CASF
2023/04/11 CODESYS V3 Runtime, Development System, and Gateway Vulnerabilities CVE-2021-33485, CVE-2021-29241, CVE-2021-29240, CVE-2021-21863, CVE-2021-21864, CVE-2021-21865, CVE-2021-21866, CVE-2021-21867, CVE-2021-21868, CVE-2021-21869 Multiple Vulnerabilities • M241/M251 (All Versions)
• EcoStruxure Machine Expert (All Versions)
• Harmony/Magelis HMISTU Series, HMIGTO Series, HMIGTU Series, HMIGTUX Series, HMIGK Series, HMISCU Series, Vijeo Designer (V6.2 SP11 Hotfix 3 and prior)
• Eurotherm E+PLC100 (All Versions)
• Eurotherm E+PLC400 (V1.3.0.1 and prior)
• Eurotherm E+PLC tools (V1.3.0.1 and prior)
• Easy Harmony ET6 HMIET Series (Vijeo Designer Basic V1.2.1 and later)
• Easy Harmony GXU HMIGXU Series (Vijeo Designer Basic V1.2.1 and later)
SEVD-2022-011-06 (V7.0) PDF SEVD-2022-011-06 (V7.0) CSAF
2023/03/14 ​​PowerLogic™ HDPM6000​ CVE-2023-28004 • CWE-129: Improper Validation of an Array Index PowerLogic™ HDPM6000 (Version 0.58.6 and prior) SEVD-2023-073-02 PDF SEVD-2023-073-02 CSAF
2023/03/14 ​​​IGSS (Interactive Graphical SCADA System)​ CVE-2023-27977, CVE-2023-27978, CVE-2023-27979, CVE-2023-27980, CVE-2023-27981, CVE-2023-27982, CVE-2023-27983, CVE-2023-27984 Multiple Vulnerabilities • IGSS Data Server (IGSSdataServer.exe) (V16.0.0.23040 and prior)
• IGSS Dashboard (DashBoard.exe) (V16.0.0.23040 and prior)
• Custom Reports (RMS16.dll) (V16.0.0.23040 and prior)
SEVD-2023-073-04 PDF SEVD-2023-073-04 CSAF
2023/03/14 EcoStruxure™ Geo SCADA Expert​ CVE-2023-22610​, CVE-2023-22611 Notification Updated: Adjustment of the deprecated CWE of the ​CVE-2023-22610.​ • EcoStruxure™ Geo SCADA Expert 2019, EcoStruxure™ Geo SCADA Expert 2020, EcoStruxure™ Geo SCADA Expert 2021 (All versions prior to October 2022)
• ClearSCADA (All Versions)
SEVD-2023-010-02 (V1.1) PDF SEVD-2023-010-02 (V1.1) CSAF
2023/03/14 IGSS (Interactive Graphical SCADA System) CVE-2022-32522, CVE-2022-32523, CVE-2022-32524, CVE-2022-32525, CVE-2022-32526, CVE-2022-32527, CVE-2022-32528, CVE-2022-32529 Notification Updated: The CVE-2022-32528 description details have been clarified. IGSS Data Server (IGSSdataServer.exe) Versions prior to Version 15.0.0.22139 SEVD-2022-165-01 (V2.1) PDF SEVD-2022-165-01 (V2.1) CSAF
2023/02/14 PLC Simulator on EcoStruxure™ Control Expert and Process Expert CVE-2020-7559, CVE-2020-7538, CVE-2020-28211, CVE-2020-28212, CVE-2020-28213 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
• CWE-754: Improper Check for Unusual or Exceptional Conditions
• CWE-863: Incorrect Authorization
• A CWE-307: Improper Restriction of Excessive Authentication Attempts
• A CWE-494: Download of Code Without Integrity Check
PLC Simulator for EcoStruxure™ Control Expert, all versions
• PLC Simulator for Unity Pro (former name of EcoStruxure™ Control Expert), all versions
• PLC Simulator for EcoStruxure™ Process Expert, all versions
SEVD-2020-315-07 (V4.0) PDF SEVD-2020-315-07 (V4.0) CSAF
2023/02/14 ​​EcoStruxure™ Geo SCADA Expert CVE-2023-0595 A CWE-117: Improper Output Neutralization for Logs vulnerability. EcoStruxureTM Geo SCADA Expert 2019, EcoStruxureTM Geo SCADA Expert 2020, EcoStruxureTM Geo SCADA Expert 2021 (All Versions prior to October 2022) • ClearSCADA (All Versions) SEVD-2023-045-01 PDF SEVD-2023-045-01 CSAF
2023/02/14 ​​StruxureWare Data Center Expert​ ​CVE-2023-25547, ​CVE-2023-25548, CVE-2023-25549​, CVE-2023-25550​, ​CVE-2023-25551, ​CVE-2023-25552, CVE-2023-25553, CVE-2023-25555 Multiple Vulnerabilities StruxureWare Data Center Expert (7.9.2 and earlier) SEVD-2023-045-02 PDF SEVD-2023-045-02 CSAF
2023/02/14 ​​​Merten KNX Devices CVE-2023-25556 A CWE-287: Improper Authentication vulnerability. Merten INSTABUS Tastermodul 1fach System M 625199 (Program Version 1.0) • Merten INSTABUS Tastermodul 2fach System M 625299 (Program Version 1.0) • Merten Tasterschnittstelle 4fach plus 670804 (Program Version 1.0 & 1.2) • Merten KNX ARGUS 180/2,20M UP SYSTEM 631725 (Program Version 1.0) • Merten Jalousie-/Schaltaktor REG-K/8x/16x/10 m. HB 649908 (Product discontinued) (Program Version 1.0) • Merten KNX Uni-Dimmaktor LL REG-K/2x230/300 W MEG6710-0002 (Product discontinued) (Program Version 1.0 & 1.1) • Merten KNX Schaltakt.2x6A UP m.2 Eing. MEG6003-0002 (Product discontinued) (Prgram Version 0.1) SEVD-2023-045-03 PDF SEVD-2023-045-03 CSAF
2023/02/14 NetBotz 4 -355/450/455/550/570 CVE-2022-43376, CVE-2022-43377, CVE-2022-43378 Multiple Vulnerabilities NetBotz 4 -355/450/455/550/570 (V4.7.0 and earlier) SEVD-2022-312-01 (V2.0) PDF SEVD-2022-312-01 (V2.0) CSAF
2023/02/14 Web Server on Modicon M340, Legacy Offers Modicon Quantum and Premium and Associated Communication Modules CVE-2021-22785, CVE-2021-22788, CVE-2021-22787 Notification Updated: A remediation is available for Modicon M340 Ethernet Communication Modules BMXNOE0100 (H) and BMXNOE0110 (H). • Modicon M340 CPUs (BMXP34* versions prior to V3.40) • Modicon M340 X80 Ethernet Communication modules BMXNOC0401 prior to V2.11, BMXNOR0200H RTU prior to V1.70 IR24) • Modicon Premium Processors with Integrated Ethernet COPRO (TSXP574634 all versions, TSXP575634 all versions, TSXP576634 all versions) • Modicon Quantum Processors with Integrated Ethernet COPRO (140CPU65xxxxx all versions) • Modicon Quantum Communication Modules (140NOE771x1 all versions, 140NOC78x00 all versions, 140NOC77101 all versions) • Modicon Premium Communication Modules (TSXETY4103 all versions, TSXETY5103 all versions) SEVD-2021-257-02 (V3.0) PDF SEVD-2021-257-02 (V3.0) CSAF
2023/02/14 Modicon Web Server CVE-2020-7562, CVE-2020-7563, CVE-2020-7564 Notification Updated: A remediation is available on Modicon M340 Ethernet Communication Modules BMXNOE0100 (H) and BMXNOE0110 (H). • Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) SEVD-2020-315-01 (V4.0) PDF SEVD-2020-315-01 (V4.0) CSAF
2023/01/10 ​​EcoStruxure™ Machine Expert – HVAC (formerly SoMachine - HVAC)​ CVE-2022-2988 A CWE-787: Out-of-bounds Write vulnerability. • SoMachine - HVAC (Version 2.1.0 and prior)
• EcoStruxure™ Machine Expert – HVAC (Version 1.4.0 and prior)
SEVD-2023-010-01 PDF SEVD-2023-010-01 CSAF
2023/01/10 ​​EcoStruxure™ Power Operation 2021, EcoStruxure™ Power SCADA Operation 2020 and EcoStruxure™ Power SCADA Operation 2020 R2​ CVE-2022-38138 A CWE-824: Access of uninitialized Pointer vulnerability. • EcoStruxure™ Power SCADA Operation 2020 (Version 2020 and 2020 CU1)
• EcoStruxure™ Power SCADA Operation 2020 R2 (Version 2020 R2 and 2020 R2 CU1, 2020 R2 CU2, and 2020 R2 CU3)
• EcoStruxure™ Power Operation 2021 (Version 2021, 2021 CU1, 2021 CU2 and 2021 CU3)
• Power SCADA Operation (Version 9.0)
• PowerSCADA Expert (Version 8.x)
SEVD-2023-010-03 PDF SEVD-2023-010-03 CSAF
2023/01/10 ​​EcoStruxure™ Power SCADA Anywhere​ CVE-2022-1467 A CWE-668: Exposure of Resource to Wrong Sphere vulnerability. • EcoStruxure™ Power SCADA Anywhere (Versions 2022, 2021, 2020 R2, 2020, 9.0, 8.x) SEVD-2023-010-04 PDF SEVD-2023-010-04 CSAF
2023/01/11 Easy UPS Online Monitoring Software CVE-2022-42970, CVE-2022-42971, CVE-2022-42973, ​​CVE-2022-42972​ Notification Updated: The Easy UPS Online Monitoring Software has been separated by the APC and Schneider Electric brand names. • APC Easy UPS Online Monitoring Software (V2.5-GA and prior (Windows 7, 10, 11 Windows Server 2016, 2019, 2022) (V2.5-GA-01-22261 and prior (Windows 11, Windows Server 2019, 2022)) • Schneider Electric Easy UPS Online Monitoring Software (V2.5-GA and prior (Windows 7, 10, 11 Windows Server 2016, 2019, 2022) (V2.5-GA-01-22261 and prior (Windows 11, Windows Server 2019, 2022)) SEVD-2022-347-01 (V2.0) PDF SEVD-2022-347-01 (V2.0) CSAF
2022/12/13 ​Saitel DR RTU CVE-2020-6996​ • CWE-787: Out-of-bounds write vulnerability. SAITEL DR RTU (Firmware from Baseline_11.06.01 to Baseline_11.06.14) SEVD-2022-347-02 PDF SEVD-2022-347-02 CSAF
2022/12/13 ​​​EcoStruxure Power Commission​ CVE-2022-4062 A CWE-285: Improper Authorization vulnerability. EcoStruxure Power Commission (V2.25 and prior versions) SEVD-2022-347-03 PDF SEVD-2022-347-03 CSAF
2022/11/22 APC Smart-UPS SMT, SMC, SMX, SCL, SRC, XU, XP, CSH2, SURTD, SMTL, SRT, and select SRTL Series CVE-2022-22805, CVE-2022-22806, CVE-2022-0715 Notification Updated: In the Affected Products and Versions section, new series IDs were added to SMT, SMC, and SMX. Added CSH2 to the available remediations sections. Added mitigations for products with the specified IDs that have been phased out and will not have firmware remediation. APC Smart-UPS Family and SmartConnect Family (see Security Notification for affected series and versions) SEVD-2022-067-02 (V7.0) PDF SEVD-2022-067-02 (V7.0) CSAF
2022/11/08 homeLYnk (Wiser For KNX) and spaceLYnk CVE-2021-22732
CVE-2021-22733
CVE-2021-22734
CVE-2021-22735
CVE-2021-22736
CVE-2021-22737
CVE-2021-22738
CVE-2021-22739
CVE-2021-22740
Notification Updated: The CWE for CVE-2021-22737 has been updated. No additional action is required for customers who have already followed the remediation instructions provided. homeLYnk (Wiser For KNX) and spaceLYnk (V2.60 and prior) SEVD-2021-130-04 (V2.0) PDF SEVD-2021-130-04 (V2.0) CSAF
2022/11/08 C-Bus Toolkit and C-Gate Server CVE-2021-22716, CVE-2021-22717, CVE-2021-22718, CVE-2021-22719, CVE-2021-22720, CVE-2021-22748, CVE-2021-22796 Notification Updated: The CWE for CVE-2021-22716 has been updated. No additional action is required for customers who have already followed the remediation instructions provided. C-Bus Toolkit V1.15.9 and prior, C-Gate Server 2.11.7 and prior SEVD-2021-103-01 (V4.0) PDF SEVD-2021-103-01 (V4.0) CSAF
2022/10/14 EcoStruxure™ Power Operation 2021, EcoStruxure™ Power SCADA Operation 2020 and EcoStruxure™ Power SCADA Operation 2020 R2 CVE-2022-22727 Notification Updated: There is an update to the EcoStruxure™ Power SCADA Operation 2020 remediation advising customers to move to 2020 R2 instead of 2020 CU2. EcoStruxure™ Power SCADA Operation 2020 Version 2020 and 2020 CU1 (Version 2020 and 2020 CU1) • EcoStruxure™ Power SCADA Operation 2020 R2 (Version 2020 R2 Prior to CU1) • EcoStruxure™ Power Operation 2021 (Version 2021, 2021 CU1 and 2021 CU2) SEVD-2022-284-04 (V1.1) PDF SEVD-2022-284-04 (V1.1) CSAF
2022/10/11 EcoStruxure™ Operator Terminal Expert and Pro-face BLUE CVE-2022-41666, CVE 2022-41667, CVE-2022-41668, CVE-2022-41669, CVE-2022-41670, CVE-2022-41671 Multiple Vulnerabilities • EcoStruxure™ Operator Terminal Expert (V3.3 Hotfix 1 or prior) • Pro-face BLUE (V3.3 Hotfix1 or prior) SEVD-2022-284-01 (PDF) SEVD-2022-284-01 (CSAF)
2022/10/11 EcoStruxure™ Panel Server Box (PAS900) CVE-2022-30790, CVE-2022-30552 Multiple Vulnerabilities EcoStruxure™Panel Server Box (PAS900) (V3.1.16 and prior) SEVD-2022-284-02 (PDF) SEVD-2022-284-02 (CSAF)
2022/10/11 ISaGRAF Workbench for SAGE RTU CVE-2022-2463, CVE-2022-2464, CVE-2022-2465 Multiple Vulnerabilities SAGE RTU C3414 CPU (Current) with optional ISaGRAF software versions prior to 6.6.10 (All firmware versions prior to C3414-500-S02K5_P5) • SAGE RTU C3413, C3412 CPU (Obsolete CPUs) with optional ISaGRAF software versions prior to 6.6.10 (All firmware versions) SEVD-2022-284-03 (PDF) SEVD-2022-284-03 (CSAF)
2022/10/11 Apache Log4j Vulnerability (Log4Shell) CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, CVE-2021-44832 Notification Updated: A remediation is now available for Netbotz 750/755. Schneider Electric is aware of the vulnerabilities impacting Apache Log4j, including CVE-2021-44228, also known as Log4Shell. Our cybersecurity team is actively investigating the impact of the vulnerability on Schneider Electric offers and will continuously update this notification as information becomes available. SESB-2021-347-01 (V14.0) PDF SESB-2021-347-01 (V14.0) (CSAF)
2022/09/13 EcoStruxure Machine SCADA Expert and Pro-face BLUE Open Studio N/A Deserialization of Untrusted Data vulnerability exists that can lead to arbitrary code execution, information disclosure, or denial of services when the project file is loaded. • EcoStruxure Machine SCADA Expert 2020 Service Pack 2 (V20.0.2 or prior) • BLUE Open Studio 2020 Service Pack 2 (V20.0.2 or prior) SEVD-2022-256-01 PDF SEVD-2022-256-01 CSAF
2022/09/13 Wind River VxWorks Vulnerabilities (URGENT/11) CVE-2019-12256, CVE-2019-12257, CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263, CVE-2019-12258, CVE-2019-12259, CVE-2019-12262, CVE-2019-12264, CVE-2019-12265 Notification Updated: CANopen X80 Communication Module (BMECXM0100) and Profibus Remote Master (TCSEGPA23F14F) added to the list of affected products, along with their final mitigations. See Security Bulletin for offer specific information. SESB-2019-214-01 (V2.14) PDF SESB-2019-214-01 CSAF
2022/09/13 Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and Associated Communication Modules CVE-2020-7549 Notification Updated: A fix is available for Modicon M340 X80 Ethernet Communication Module BMXNOC0401. • Modicon M340 CPUs (BMXP34* versions prior to V3.30) • Modicon M340 Ethernet Communication modules (BMXNOE0100 (H) versions prior to V3.4, BMXNOE0110 (H) versions prior to V6.5, BMXNOC0401 (H) all versions) • Modicon Quantum communication modules (140NOE771x1 versions prior to V7.3, 140NOC78x00 all versions, 140NOC77101 all versions) • Modicon Quantum processors with integrated Ethernet COPRO (140CPU65xx0 all versions) • Modicon Premium communication modules (TSXETY4103 all versions, TSXETY5103 all versions) • Modicon Premium processors with integrated Ethernet COPRO (TSXP574634 all versions, TSXP575634 all versions, TSXP576634 all versions) SEVD-2020-343-06 (V2.0) PDF SEVD-2020-343-06 CSAF
2022/09/13 Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and Associated Communication Modules CVE-2020-7535 Notification Updated: A remediation is available for ModiconM340 X80 Ethernet Communication Modules BMXNOC0401. Modicon M340 • Modicon Premium • Modicon Quantum SEVD-2020-343-05 (V3.0) PDF SEVD-2020-343-05 CSAF
2022/09/13 SNMP Service on Modicon M340 and Associated Communication Modules CVE-2020-7536 Notification Updated: A remediation is available for Modicon M340 X80 Ethernet Communication module BMXNOC0401. • Modicon M340 CPUs (BMXP34* versions prior to V3.30) • Modicon M340 Communication Ethernet modules (BMXNOC0401 versions prior to V2.11BMXNOE0100 (H) versions prior to V3.4, BMXNOE0110 (H) versions prior to V6.6, BMXNOR0200H V1.7 IR22) SEVD-2020-343-07 (V2.1) PDF SEVD-2020-343-07 CSAF
2022/08/19 OPC UA and X80 advanced RTU Modicon Communication Modules CVE-2022-34759, CVE-2022-34760, CVE-2022-34761, CVE-2022-34762, CVE-2022-34763, CVE-2022-34764, CVE-2022-34765 Notification Updated: There is a remediation for the X80 Advanced RTU Communication Module (BMENOR2200). • OPC UA Modicon Communication Module (BMENUA0100) V1.10 and prior • X80 advanced RTU Communication Module (BMENOR2200H) V1.0 • X80 advanced RTU Communication Module (BMENOR2200H) V2.01 and later SEVD-2022-193-01 (V3.0) PDF SEVD-2022-193-01 (V3.0) CSAF
2022/08/09 Treck TCP/IP Vulnerabilities (Ripple20) CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, CVE-2020-11899, CVE-2020-11900, CVE-2020-11901, CVE-2020-11902, CVE-2020-11903, CVE-2020-11904, CVE-2020-11905, CVE-2020-11906, CVE-2020-11907, CVE-2020-11908, CVE-2020-11909, CVE-2020-11910, CVE-2020-11911, CVE-2020-11912, CVE-2020-11913, CVE-2020-11914 Notification Updated - A remediation is available for the ATV6000 Medium Voltage Altivar Process Drive. See Security Notification SEVD-2020-175-01 (V2.18) PDF SEVD-2020-175-01 (V2.18) CSAF
2022/08/09 EcoStruxure™ Control Expert CVE-2022-37302 CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability. EcoStruxure™ Control Expert (V15.1 HF001 and prior) SEVD-2022-221-03 PDF SEVD-2022-221-03 CSAF
2022/07/12 SpaceLogic C-Bus Home Controller, formerly known as C-Bus Wiser Home Controller MK2 CVE-2022-34753 A CWE-78: Improper Neutralizationof Special Elements used in an OS Command ('OS Command Injection') SpaceLogic C-Bus Home Controller (5200WHC2), formerly known as C-Bus Wiser Homer Controller MK2 V1.31.460 and prior SEVD-2022-193-02 PDF SEVD-2022-193-02 CSAF
2022/07/12 Acti9 PowerTag Link C CVE-2022-34754 CWE-269: Improper Privilege Management • Acti9 PowerTag Link C (A9XELC10-A) V1.7.5 and prior • Acti9 PowerTag Link C (A9XELC10-B) V2.12.0 and prior SEVD-2022-193-03 PDF SEVD-2022-193-03 CSAF
2022/07/12 Easergy P5 CVE-2022-34756, CVE-2022-34757, CVE-2022-34758 Multiple Vulnerabilities Easergy P5 Firmware V01.401.102 and prior SEVD-2022-193-04 PDF SEVD-2022-193-04 CSAF
2022/07/12 IGSS (Interactive Graphical SCADA System) CVE-2022-24324, CVE-2022-2329 Notification Updated: An additional vulnerability, CVE-2022-2329, was remediated with the released patch. IGSS Data Server (V15.0.0.22073 and prior) SEVD-2022-102-01 (V2.0) PDF SEVD-2022-102-01 (V2.0) CSAF
2022/07/12 AT&T Labs Compressor (XMill) and Decompressor (XDemill) used by EcoStruxure™ Control Expert, EcoStruxure™ Process Expert and SCADAPack RemoteConnect™ for x70 CVE-2021-21810, CVE-2021-21811, CVE-2021-21812, CVE-2021-21813, CVE-2021-21814, CVE-2021-21815, CVE-2021-21825, CVE-2021-21826, CVE-2021-21827, CVE-2021-21828, CVE-2021-21829, CVE-2021-21830, CVE-2022-26507 Notification Updated: A release is available for SCADAPack RemoteConnect™ R2.7.3 that addresses workstation vulnerabilities. • EcoStruxure™ Control Expert (All versions prior to V15.1 HF001 including former Unity Pro) • EcoStruxure™ Process Expert (All versions prior to V2021 including former HDCS) • SCADAPack RemoteConnect™ for x70 (All versions) SEVD-2021-222-02 (V4.0) PDF SEVD-2021-222-02 (V4.0) CSAF
2022/07/12 EcoStruxure™ Control Expert, EcoStruxure™ Process Expert, SCADAPack RemoteConnect™ for x70 CVE-2021-22797 Notification Updated: A release is available for SCADAPack RemoteConnect™ R2.7.3 that addresses workstation vulnerabilities. • EcoStruxure™ Control Expert (All versions including former Unity Pro) • EcoStruxure™ Process Expert (All versions including former HDCS) • SCADAPack RemoteConnect™ for x70 (All versions) SEVD-2021-257-01 (V3.0) PDF SEVD-2021-257-01 (V3.0) CSAF
2022/06/16 Data Center Expert CVE-2022-32518
CVE-2022-32519
CVE-2022-32520
CVE-2022-32521
• CWE-257: Storing Passwords in a Recoverable Format
• CWE 502: Deserialization of Untrusted Data
• CWE-522: Insufficiently Protected Credentials
Data Center Expert (V7.9.0 and prior) SEVD-2022-165-04 (V2.0) PDF SEVD-2022-165-04 (V2.0) CSAF
2022/06/14 Conext™ Combox CVE-2022-32515, CVE-2022-32516, CVE-2022-32517 Multiple Vulnerabilities Conext™ ComBox All Versions SEVD-2022-165-03 PDF SEVD-2022-165-03 CSAF
2022/06/14 EcoStruxure Power Commission CVE-2022-0223, CVE-2022-22731, CVE-2022-22732 Multiple Vulnerabilities EcoStruxure Power Commission Versions prior to V2.22 SEVD-2022-165-05 PDF SEVD-2022-165-05 CSAF
2022/06/14 Schneider Electric C-Bus Home Automation Products CVE-2022-32513, CVE-2022-32514 Multiple Vulnerabilities • Schneider Electric C-Bus Network Automation Controller - LSS5500NAC V1.10.0 and prior • Schneider Electric Wiser for C-Bus Automation Controller - LSS5500SHAC V1.10.0 and prior • Clipsal C-Bus Network Automation Controller - 5500NAC V1.10.0 and prior • Clipsal Wiser for C-Bus Automation Controller - 5500SHAC V1.10.0 and prior • SpaceLogic C-Bus Network Automation Controller - 5500NAC2 V1.10.0 and prior • SpaceLogic C-Bus Application Controller - 5500AC2 V1.10.0 and prior SEVD-2022-165-06 PDF SEVD-2022-165-06 CSAF
2022/06/14 CanBRASS CVE-2022-32512 CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CanBRASS Versions prior to V7.5.1 SEVD-2022-165-07 PDF SEVD-2022-165-07 CSAF
2022/06/14 EcoStruxure™ Cybersecurity Admin Expert CVE-2022-32747, CVE-2022-32748 Multiple Vulnerabilities EcoStruxure™ Cybersecurity Admin Expert(CAE) Versions 2.2 and prior SEVD-2022-165-08 PDF SEVD-2022-165-08 CSAF
2022/06/14 EcoStruxure Power Build - Rapsody CVE-2021-22697, CVE-2021-22698 Notification Update: These vulnerabilities have been fixed in V2.1.3. EcoStruxure Power Build - Rapsody software V2.1.13 and prior SEVD-2021-012-02 (V2.0) PDF SEVD-2021-012-02 (V2.0) CSAF
2022/06/14 EcoStruxure™ Control Expert, EcoStruxure™ Process Expert, SCADAPack RemoteConnect™ for x70 CVE-2022-24322, CVE-2022-24323 Notification Updated: Added SCADAPack RemoteConnect™ to the list of affected products, which is impacted on versions prior to R2.7.3 through the integration of EcoStruxure™ Control Expert. • EcoStruxure™ Control Expert Version 15.0 SP1 and prior • EcoStruxure™ Process Expert Version 2021 and prior • SCADAPack RemoteConnect™ for x70 All Versions prior to R2.7.3 SEVD-2022-067-01 (V2.0) PDF SEVD-2022-067-01 (V2.0) CSAF
2022/05/10 PowerLogic ION Setup CVE-2022-30232 CWE-20: Improper Input Validation PowerLogic ION Setup Versions prior to 3.2.22096.01 SEVD-2022-130-01 PDF SEVD-2022-130-01 CSAF
2022/05/10 Saitel DP RTU CVE-2020-6996 CWE-787: Out-of-bounds Write Saitel DP RTU Firmware Version Baseline_09.00.00 to Baseline_11.06.23 SEVD-2022-130-02 PDF SEVD-2022-130-02 CSAF
2022/05/10 Wiser Smart CVE-2022-30234
CVE-2022-30235
CVE-2022-30238
CVE-2022-30236
CVE-2022-30237
CVE-2022-30233
Multiple Vulnerabilities Wiser Smart EER21000 V4.5 and prior and Wiser Smart EER21001 V4.5 and prior SEVD-2022-130-03 PDF SEVD-2022-130-03 CSAF
2022/05/10 APC by Schneider Electric Network Management Cards (NMC) and NMC Embedded Devices CVE-2021-22810, CVE-2021-22811, CVE-2021-22812, CVE-2021-22813, CVE-2021-22814, CVE-2021-22815 Notification Updated: Remediations added for remaining affected products: APC Power Distribution products, Cooling products, Environmental Monitoring products, and Battery Management products. Network Management Card 2 (NMC2), Network Management Card 3 (NMC3), and the NMC embedded devices including: • Uninterruptible Power Supply (UPS) products • APC Power Distribution products • Cooling products •Environmental Monitoring • Battery Management products. See notification for specific affected product and version details. SEVD-2021-313-03 (V2.0) PDF SEVD-2021-313-03 (V2.0) CSAF
2022/04/13 APT Cyber Tools Targeting ICS/SCADA Devices Security Bulletin Schneider Electric, working in close collaboration with the United States Department of Energy, Homeland Security, and cybersecurity defense partner, Mandiant, identified and developed protective measures to defend against APT (Advanced Persistent Threat) Cyberattack Tools/Framework still in development that would target a set of our Programmable Logic Controllers (PLCs) products. SESB-2022-01
2022/03/08 Ritto Wiser™ Door CVE-2021-22783 CWE-200: Information Exposure Ritto Wiser™ Door (All versions) SEVD-2022-067-03 SEVD-2022-067-03 CSAF
2022/03/08 Windows Print Spooler Embedded in EcoStruxure™ Process Expert CVE-2021-34527, CVE-2021-1675 Notification Updated - EcoStruxure™ Process Expert 2021 includes a fix for these vulnerabilities EcoStruxure™ Process Expert (All versions prior to V2021) SEVD-2021-313-04 (V2.0) SEVD-2021-313-04 (V2.0) CSAF
2022/02/08 IGSS (Interactive Graphical SCADA System) CVE-2022-24310, CVE-2022-24311, CVE-2022-24312, CVE-2022-24313, CVE-2022-24314, CVE-2022-24315, CVE-2022-24316, CVE-2022-24317 Multiple Vulnerabilities IGSS Data Server: IGSSdataServer.exe (V15.0.0.22020 and prior) SEVD-2022-039-01 SEVD-2022-039-01 CSAF
2022/02/08 Easergy P40 CVE-2022-22813 CWE-798: Use of Hard-coded Credentials Easergy P40 Series model numbers with Ethernet option bit as Q, R, S (All PX4X firmware versions) SEVD-2022-039-03 SEVD-2022-039-03 CSAF
2022/02/08 spaceLYnk, Wiser For KNX, fellerLYnk CVE-2022-22809, CVE-2022-22810, CVE-2022-22811, CVE-2022-22812 Multiple Vulnerabilities • spaceLYnk (V2.6.2 and prior), • Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), • fellerLYnk (V2.6.2 and prior) SEVD-2022-039-04 SEVD-2022-039-04 CSAF
2022/02/08 EcoStruxure Geo SCADA Expert CVE-2022-24318, CVE-2022-24319, CVE-2022-24320, CVE-2022-24321 Multiple Vulnerabilities • ClearSCADA (All Versions) • EcoStruxure GeoSCADA Expert 2019 (All Versions) • EcoStruxure Geo SCADA Expert 2020 (All Versions) SEVD-2022-039-05 SEVD-2022-039-05 CSAF
2022/02/08 Harmony/Magelis iPC SeriesHMI, Vijeo Designerand Vijeo Designer Basic CVE-2021-22817 A CWE-276: Incorrect Default Permissions • Harmony/Magelis iPC Series (All Versions), • Vijeo Designer (All Versions prior to V6.2 SP11 Multiple HotFix 4), • Vijeo Designer Basic (All Versions prior to V1.2.1) SEVD-2022-039-06 SEVD-2022-039-06 CSAF
2022/02/08 Harmony (formerly known as Magelis) HMI Panels CVE-2019-6833 A full fix is available for a selection of affected products and introduced a mitigation section to reduce the risk of exploit. Identified products with the status End of Commercialization in the list of affected products. See security notification
2022/01/11 Ethernet and Web server on Modicon M340 controller and Communication Modules CVE-2022-22724, CVE-2020-7534 CWE-352: Cross-Site Request Forgery (CSRF) & CWE-400: Uncontrolled Resource Consumption • Modicon M340 CPUs (BMXP34 - All Versions), • Modicon Quantum CPUs with integrated Ethernet (Copro) (140CPU65 - All Versions), • Modicon Premium CPUs with integrated Ethernet (Copro) (TSXP57 - All Versions), • Modicon M340 ethernet modules (BMXNOC040, BMXNOE01, BMXNOR0200H - All Versions) , • Modicon Quantum and Premiumfactory cast communication modules (140NOE77111, 140NOC78*00, TSXETY5103, TSXETY4103 - All Versions) SEVD-2022-011-01 SEVD-2022-011-01 CSAF
2022/01/11 Easergy T300 CVE-2020-8597 CWE-120: Buffer Copy without Checking Size of Input Easergy T300 (Only products connected to a 3G/4G network using the following T300 modems are vulnerable: • Easergy HU250 3G modem box - Five Bands UMTS/HSPA+, • Easergy HU250 4G modem box with GPS clock synchronization Firmware V2.7.1 and prior) SEVD-2022-011-02 SEVD-2022-011-02 CSAF
2022/01/11 Easergy P5 CVE-2022-22722, CVE-2022-22723 CWE-798: Use of Hard-coded Credentials & CWE-120: Buffer Copy without Checking Size of Input Easergy P5 (All firmware versions prior to V01.401.101) SEVD-2022-011-03 SEVD-2022-011-03 (V1.1) CSAF
2022/01/11 Easergy P3 CVE-2022-22725 CWE-120: Buffer Copy without Checking Size of Input Easergy P3 (All versions prior to V30.205) SEVD-2022-011-04 SEVD-2022-011-04 CSAF
2022/01/11 ConneXium Tofino Firewall and Loadable Security Modules CVE-2021-30061, CVE-2021-30064, CVE-2021-30065, CVE-2021-30066, CVE-2021-30062, CVE-2021-30063 Multiple Vulnerabilities ConneXium Tofino Firewall – part number TCSEFEA23F3F22 - Version prior to v03.23 , ConneXium Tofino OPC-LSM – part number TCSEFM0000 - Version prior to Firewall host version v03.23, ConneXium Tofino Firewall – part number TCSEFEA23F3F20/21 - All Versions SEVD-2022-011-05 SEVD-2022-011-05 CSAF
2022/01/11 EcoStruxure™ Power Monitoring Expert CVE-2022-22726, CVE-2022-22727, CVE-2019-8963, CVE-2022-22804 Multiple Vulnerabilities EcoStruxure Power Monitoring Expert (All Versions 2020 and prior) SEVD-2022-011-07 SEVD-2022-011-07 CSAF
2021/12/14 IGSS (Interactive Graphical SCADA System) CVE-2021-22823, CVE-2021-22824 Multiple Vulnerabilties IGSS Data Collector (dc.exe) V15.0.0.21320 and prior SEVD-2021-348-01
2021/12/14 EVlink City / Parking / Smart Wallbox Charging Stations CVE-2021-22724, CVE-2021-22725, CVE-2021-22818, CVE-2021-22819, CVE-2021-22820, CVE-2021-22821, CVE-2021-22822, Multiple Vulnerabilties EVlink City (EVC1S22P4 / EVC1S7P4), EVlink Parking (EVW2 / EVF2 / EVP2PE), EVlink Smart Wallbox EVB1A - All versions prior to R8 V3.4.0.2 SEVD-2021-348-02
2021/12/14 EcoStruxure™ Power Monitoring Expert CVE-2021-22826, CVE-2021-22827 Multiple Vulnerabilties EcoStruxure™ Power Monitoring Expert V9.0 and prior SEVD-2021-348-03
2021/12/14 APC by Schneider Electric Rack PDU CVE-2021-22825 CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') AP7xxxx and AP8xxx with NMC2. (V6.9.6 and prior), AP7xxx and AP8xxx with NMC3 (V1.1.0.3 and prior), APDU9xxx with NMC3 (V1.0.0.28 and prior) SEVD-2021-348-04
2021/12/14 Web Server on Modicon M580 Controllers and Communication Modules (V4.0) CVE-2019-6848, CVE-2019-6849, CVE-2019-6850 Multiple Vulnerabilities (December 2021 Update: A fix is now available for CVE-2019-6849 on the BMENOC0321) Modicon M580, Modicon BMENOC 0311, Modicon BMENOC 0321 SEVD-2019-281-04 (V4.0)
2021/11/09 Cyber Attacks against KNX Systems Improperly Exposed to the Internet Schneider Electric is aware of confirmed reports of cyber-attacks targeting KNX home and building automation systems utilizing a KNXnet/IP Ethernet to KNX gateway or router that has been improperly exposed to the Internet. See security bulletin for recommended mitigations. SESB-2021-313-01
2021/11/09 SCADAPack 300E Series RTU CVE-2021-22816 CWE-754: Improper Check for Unusual or Exceptional Conditions SCADAPack 312E, 313E, 314E, 330E, 333E, 334E, 337E, 350E and 357E RTUs with firmware V8.18.1 and prior SEVD-2021-313-01
2021/11/09 Schneider Electric Software Update (SESU) CVE-2021-22799 CWE-331: Insufficient Entropy Schneider Electric Software Update, V2.3.0 through V2.5.1 SEVD-2021-313-02
2021/11/09 TelevisAir Dongle BTLE - - TelevisAir V3.0 Dongle BTLE (part number ADBT42* and prior) SEVD-2021-313-06
2021/11/09 Eurotherm GUIcon CVE-2021-22807, CVE-2021-22808, CVE-2021-22809 Multiple Vulnerabilities Eurotherm by Schneider Electric GUIcon Version 2.0 (Build 683.003) and prior SEVD-2021-313-07
2021/10/12 spaceLYnk, Wiser For KNX, fellerLYnk CVE-2021-22806 CWE-669: Incorrect Resource Transfer Between Spheres spaceLYnk V2.6.1 and prior • Wiser for KNX V2.6.1 and prior • fellerLYnk V2.6.1 and prior SEVD-2021-285-01
2021/10/12 ConneXium Network Manager (CNM) Software CVE-2021-22801 CWE-269: Improper Privilege Management ConneXium Network Manager (Ethernet network management software) – all versions SEVD-2021-285-02
2021/10/12 IGSS (Interactive Graphical SCADA System) CVE-2021-22802, CVE-2021-22803, CVE-2021-22804, CVE-2021-22805 Multiple Vulnerabilties IGSS Data Collector (dc.exe) V15.0.0.21243 and prior SEVD-2021-285-03
2021/10/12 Modicon M218 Logic Controller CVE-2021-22800 CWE-20: Improper Input Validation Modicon M218 logic controller firmware version v5.1.0.6 and prior. SEVD-2021-285-04
2021/10/12 Conext™ Advisor & Conext™ Control V2 CVE-2019-11135, CVE-2020-0601, CVE-2020-0609, CVE-2020-0610, CVE-2020-0796, CVE-2020-0938, CVE-2020-1020, CVE-2020-1350, CVE-2020-1472, CVE-2019-0803, CVE-2019-1040 Multiple Vulnerabilities • Conext™ Advisor 2 Cloud 2.02 and below • Conext™ Advisor 2 Gateway 1.28.45 and below • Conext™ Control V2 Gateway 2.6 and below SEVD-2021-285-05
2021/10/12 Embedded TCP/IP Stacks Vulnerabilities (AMNESIA:33) in Modicon TM5 modules CVE-2020-13987, CVE-2020-17438 Multiple Vulnerabilities • TM5CSLC100FS: safety logic controller Firmware V2.56 and prior • TM5CSLC200FS: safety logic controller Firmware V2.56 and prior • TM5NS31: sercos III communication module Firmware V2.78 and prior • TM5NEIP1: EtherNet/IP module Firmware V3.10 and prior • TM5NEIP1K: EtherNet/IP FieldBus KIT Firmware V3.10 and prior SEVD-2021-285-06
2021/10/12 Microsoft Remote Desktop Services (DejaBlue) (V5.0) CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1223, CVE-2019-1224, CVE-2019-1225, CVE-2019-1226 Multiple Vulnerabilities (Notification Updated) Multiple Products SEVD-2019-267-01 (V5.0)
2021/10/12 Intel Microarchitectural Data Sampling (ZombieLoad) (V6.0) CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091 Multiple Vulnerabilities (Notification Updated) Multiple Products SEVD-2019-193-01 (V6.0)
2021/10/12 Microsoft Remote Desktop Services (BlueKeep) (V7.0) CVE-2019-0708 Remote Code Execution (Notification Updated) Multiple Products SEVD-2019-193-02 (V7.0)
2021/09/14 StruxureWare Data Center Expert CVE-2021-22794, CVE-2021-22795 Multiple Vulnerabilities StruxureWare Data Center Expert versions 7.8.1 and prior. SEVD-2021-257-03
2021/09/14 Conext™ ComBox  CVE-2021-22798 CWE-522: Insufficiently Protected Credentials Conext™ ComBox, all versions SEVD-2021-257-04
2021/09/14 Treck TCP/IPv6 Vulnerabilities (V4.0) CVE-2020-27336, CVE-2020-27337, CVE-2020-27338 Multiple Vulnerabilities (Notification Updated) • ATV340E Altivar Machine Drives • ATV630/650/660/680/6A0/6B0 Altivar Process Drives • ATV930/950/960/980/9A0/9B0 Altivar Process Drives • VW3A3720, VW3A3721 Altivar Process Communication Modules • APC Network Management Card 2 (NMC2) • APC Network Management Card 3 (NMC3) • IFE Gateway  • Acti9 Smartlink IP*  • Acti9 PowerTag Link / HD*  • Acti9 Smartlink SI D*  • Acti9 Smartlink SI B*  • EGX150/Link150 Ethernet Gateway**  • eIFE Ethernet Interface for MasterPact MTZ drawout circuit breakers • IFE Ethernet Interface for ComPact, PowerPact, and MasterPact circuit breakers • TM3 Bus Coupler EIP • ATV6000 Medium Voltage Altivar Process Drives SEVD-2020-353-01 (V4.0)
2021/08/10 Harmony/Magelis HMI Products configured by Vijeo Designer, Vijeo Designer Basic and EcoStruxure Machine Expert CVE-2021-22704 CWE-22: Improper Limitation of a Pathname to a Restricted Directory Harmony/HMI Products Configured by Vijeo Designer (all versions prior to V6.2 SP11 ), Vijeo Designer Basic (all versions prior to V1.2), or EcoStruxure Machine Expert (all versions prior to V2.0) SEVD-2021-222-01
2021/08/10 Pro-face GP-Pro EX CVE-2021-22775 CWE-427: Uncontrolled Search Path Element GP-Pro EX V4.09.250 and prior SEVD-2021-222-03
2021/08/10 AccuSine PCSn/PCS+/PFV+ CVE-2021-22793 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor AccuSine PCS+ / PFV+ (Versions prior to V1.6.7) and AccuSine PCSn (Versions prior to V2.2.4) SEVD-2021-222-05
2021/08/10 CODESYS V2 Vulnerabilities in Programmable Automation Controller (PacDrive) M CVE-2021-30186, CVE-2021-30188, CVE-2021-30195 Multiple Vulnerabilities Programmable Automation Controller (PacDrive) M, all versions SEVD-2021-222-06
2021/08/10 NTZ Mekhanotronika Rus. LLC SHAIIS-MT-111, SHASU-MT-107 and SHFK-MT, and SHFK-MT-104 Control Panels CVE-2021-34527, CVE-2021-1675 Multiple Vulnerabilities SHAIIS-MT-111, SHASU-MT-107 and SHFK-MT, and SHFK-MT-104 Control Panels (see security notification for more details) SEVD-2021-222-07
2021/08/10  NTZ Mekhanotronika Rus. LLC SHFK-MT-104 Control Panels  CVE-2021-31166 HTTP Protocol Stack Remote Code Execution SHFK-MT-104 Control Panels (see security notification for more details) SEVD-2021-222-08
2021/08/10 Embedded Web Server for Modicon X80 BMXNOR0200H RTU Module (V2.0) CVE-2021-22749 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Modicon X80 BMXNOR0200H RTU SV1.70 IR22 and prior SEVD-2021-159-05 (V2.0)
2021/08/10 Treck HTTP Server Vulnerability on TM3 Bus Coupler Modules (V2.0) CVE-2020-25066 Heap-Based Overflow • TM3 Bus Coupler (EIP firmware version 2.1.50.2 and prior) • TM3 Bus Coupler (SL firmware version 2.0.50.2 and prior) • TM3 Bus Coupler (CANOpen firmware version 2.0.50.2 and prior) SEVD-2020-353-02 (V2.0)
2021/08/10 Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (V2.0) CVE-2020-7540 • CWE-306: Missing Authentication for Critical Function • Modicon M340 CPUs (BMXP34* all versions prior to V3.30) • Modicon M340 Ethernet Communication modules(BMXNOE0100 (H) all versions prior to V3.3, BMXNOE0110 (H) all versions prior to V6.5, BMXNOC0401 (H) all versions prior to V2.10) • Modicon Premium communication modules (TSXETY4103 prior to V6.2, TSXETY5103 prior to V6.4) • Modicon Premium processors with integrated Ethernet COPRO (TSXP574634 versions prior to V6.1, TSXP575634 versions prior to V6.1, TSXP576634 versions prior to V6.1) • Modicon Quantum processors with integrated Ethernet COPRO (140CPU65xx0 prior to V6.1) • Modicon Quantum communication modules (140NOE771x1, prior to V7.1, 140NOC78x00, prior to V1.74, 140NOC77101, prior to V1.08) • BMXNOR200H (all versions) SEVD-2020-343-04 (V2.0)
2021/08/10 Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (V2.0) CVE-2020-7539, CVE-2020-7541 Multiple Vulnerabilities • Modicon M340 CPUs (BMXP34* versions prior to V3.30) • Modicon M340 Ethernet Communication modules (BMXNOE0100 (H) versions prior to V3.3, BMXNOE0110 (H) versions prior to V6.5, BMXNOC0401 (H) versions prior to V2.10) • Modicon Premium communication modules (TSXETY4103 versions prior to V6.2, TSXETY5103 versions prior to V6.4) • Modicon Premium processors with integrated Ethernet COPRO (TSXP574634 versions prior to V6.1, TSXP575634 versions prior to V6.1, TSXP576634 versions prior to V6.1) • Modicon Quantum processors with integrated Ethernet COPRO (140CPU65xx0 versions prior to V6.1) • Modicon Quantum communication modules (140NOE771x1 versions prior to V7.1, 140NOC78x00 versions prior to V1.74, 140NOC77101 versions prior to V1.08) SEVD-2020-343-03 (V2.0)
2021/07/13 Easergy T300 CVE-2021-22769, CVE-2021-22770, CVE-2021-22771 Multiple Vulnerabilities Easergy T300 with firmware V2.7.1 and prior SEVD-2021-194-02
2021/07/13 SoSafe Configurable CVE-2021-22777 CWE-502: Deserialization of Untrusted Data SoSafe Configurable prior to V1.8.1 SEVD-2021-194-03
2021/07/13  C-Bus Toolkit  CVE-2021-22784 CWE-287: Improper Authentication C-Bus Toolkit V1.15.8 and prior SEVD-2021-194-04
2021/07/13 Easergy T200 CVE-2021-22772 CWE-306: Missing Authentication for Critical Function Easergy T200 (Modbus) SC2-04MOD-07000100 and earlier • Easergy T200 (IEC104) SC2-04IEC-07000100 and earlier • Easergy T200 (DNP3) SC2-04DNP-07000102 and earlier SEVD-2021-194-05
2021/07/13 EVlink City / Parking / Smart Wallbox Charging Stations CVE-2021-22706, CVE-2021-22707, CVE-2021-22708, CVE-2021-22721, CVE-2021-22722, CVE-2021-22723, CVE-2021-22726, CVE-2021-22727, CVE-2021-22728, CVE-2021-22729, CVE-2021-22730, CVE-2021-22773, CVE-2021-22774 Multiple Vulnerabilities All versions prior to R8 V3.4.0.1 of EVlink City (EVC1S22P4 / EVC1S7P4), EVlink Parking (EVW2 / EVF2 / EV.2), and EVlink Smart Wallbox (EVB1A) SEVD-2021-194-06
2021/07/13 APC by Schneider Electric Network Management Cards (Ripple20) (V2.3) CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, CVE-2020-11899, CVE-2020-11900, CVE-2020-11901, CVE-2020-11902, CVE-2020-11903, CVE-2020-11904, CVE-2020-11905, CVE-2020-11906, CVE-2020-11907, CVE-2020-11908, CVE-2020-11909, CVE-2020-11910, CVE-2020-11911, CVE-2020-11912, CVE-2020-11913, CVE-2020-11914 Multiple Vulnerabilities (Notification Updated) • APC Network Management Card 1 (NMC1) • APC Network Management Card 2 (NMC2) • APC Network Management Card 3 (NMC3) SEVD-2020-174-01 (V2.3)
2021/07/13 EcoStruxure™ Control Expert, EcoStruxure™ Process Expert and RemoteConnect™ (V2.0) CVE-2020-7560 CWE-123 - Write-what-where Condition • EcoStruxure Control Expert (versions prior to v15.0 SP1) • Unity Pro (all versions) •EcoStruxure Process Expert (all versions) • RemoteConnect (all versions) SEVD-2020-343-01 (V2.0)
2021/07/13 Triconex Models 3009 MP and TCM 4351B (V1.1) CVE-2021-22742, CVE-2021-22743, CVE-2021-22744, CVE-2021-22745, CVE-2021-22746, CVE-2021-22747 Multiple Vulnerabilities Triconex Model 3009 MP and TCM 4351B installed on Tricon v11.3.x systems. SEVD-2021-130-03 (V1.1)
2021/06/08 IGSS (Interactive Graphical SCADA System) CVE-2021-22750, CVE-2021-22751, CVE-2021-22752, CVE-2021-22753, CVE-2021-22754, CVE-2021-22755, CVE-2021-22756, CVE-2021-22757, CVE-2021-22758, CVE-2021-22759, CVE-2021-22760, CVE-2021-22761, CVE-2021-22762 Multiple Vulnerabilities IGSS Definition (Def.exe) V15.0.0.21140 and prior SEVD-2021-159-01
2021/06/08 PowerLogic EGX100 and PowerLogicEGX300 CVE-2021-22763, CVE-2021-22764, CVE-2021-22765, CVE-2021-22766, CVE-2021-22767, CVE-2021-22768 Multiple Vulnerabilities EGX100 (All Versions) • EGX100 (Versions 3.0.0 and newer) • EGX300 (All Versions) SEVD-2021-159-03
2021/06/08 Enerlin'X Com’X 510 CVE-2021-22769 CWE-269: Improper Privilege Management Enerlin’X Com’X versions prior to V6.8.4 SEVD-2021-159-06
2021/06/08 EcoStruxure™ Machine Expert and Modicon M218/M241/M251/M262, LMC PacDrive Eco/Pro/Pro2, HMISCU, ATV IMC Logic Controllers, SoMachine/SoMachine Motion CVE-2020-10245, CVE-2019-13538, CVE-2019-9008, CVE-2019-9009, CVE-2020-7052 Multiple Vulnerabilities (Notification Updated) • EcoStruxure™ Machine Expert and Modicon M218/M241/M251/M262 • LMC PacDrive Eco/Pro/Pro2 • HMISCU • ATV IMC Logic Controllers • SoMachine/SoMachine Motion (See Security Notification for full version information) SEVD-2021-130-06 (V2.0)
2021/05/11 Modicon Managed Switch CVE-2021-22731 CWE-640: Weak Password Recovery Mechanism for Forgotten Password Modicon Managed Switch MCSESM* and MCSESP* V8.21 and prior SEVD-2021-130-01
2021/05/11 Harmony HMI Products Configured by Vijeo Designer or EcoStruxure Machine Expert CVE-2021-22705 CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer Harmony HMI Products Configured by Vijeo Designer (all versions prior to V6.2 SP11 ) or EcoStruxur Machine Expert (all versions prior to V2.0) SEVD-2021-130-02
2021/05/11 Modicon M241 and M251 Logic Controllers CVE-2021-22699 CWE-20: Improper Input Validation Modicon M241/M251 logic controllers firmware prior to V5.1.9.1 SEVD-2021-130-05
2021/05/11 EcoStruxure™ Geo SCADA Expert CVE-2021-22741 CWE-916: Use of Password Hash with Insufficient Computational Effort • ClearSCADA (all versions) • EcoStruxure Geo SCADA Expert 2019 (all versions) • EcoStruxure Geo SCADA Expert 2020 (V83.7742.1 and prior) SEVD-2021-130-07
2021/05/11 Modicon Controllers, EcoStruxure™ Control Expert and Unity Pro Programming Software (V3.0) CVE-2020-7475 CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (Notification Updated) • EcoStruxure™ Control Expert: all versions prior to V15.0 • Unity Pro: all versions • Modicon M340: all versions prior to V3.20 • Modicon M580: all versions prior to V3.10 SEVD-2020-080-01 (V3.0)
2021/05/11 Web Server on Modicon M580 Controllers and Communication Modules (V3.0) CVE-2019-6848, CVE-2019-6849, CVE-2019-6850  Multiple Vulnerabilities (Notification Updated) Modicon M580, Modicon BMENOC 0311, Modicon BMENOC 0321
2021/04/13 NTZ Mekhanotronika Rus. LLC SHFK-MT-104, SHASU-MT-107 and SHAIIS-MT-111 Control Panels CVE-2019-1040, CVE-2019-0803 Multiple Vulnerabilities SHFK-MT-104, SHASU-MT-107, SHAIIS-MT-111 (See Security Notification for details) SEVD-2021-103-02
2021/04/13 Schneider Electric Floating License Manager CVE-2019-8960, CVE-2019-8961 Multiple Vulnerabilities (Notification Updated) Schneider Electric Floating License Manager V2.4.0.0 and earlier SEVD-2020-196-02 (V1.3)
2021/03/09 IGSS (Interactive Graphical SCADA System) CVE-2021-22709, CVE-2021-22710, CVE-2021-22711, CVE-2021-22712 Multiple Vulnerabilities IGSS Definition (Def.exe) version 15.0.0.21041 and prior SEVD-2021-068-01
2021/03/09 PowerLogic ION7400 / PM8000 / ION9000 Power Meters CVE-2021-22714 CWE-119: Improper restriction of operations within the bounds of a memory buffer All versions prior to V3.0.0 of ION7400, ION9000, and ION8000 SEVD-2021-068-02
2021/03/09 PowerLogic ION8650 / ION8800 / ION7x50 / ION7700/73xx / ION83xx/84xx/85xx/8600 Power Meters CVE-2021-22713 CWE-119: Improper restriction of operations within the bounds of a memory buffer ION8650 / ION8800 / ION7x50 / ION7700/73xx / ION83xx/84xx/85xx/8600 (See notification for affected versions) SEVD-2021-068-03
2021/02/09 PowerLogic Power Metering Products CVE-2021-22701, CVE-2021-22702, CVE-2021-22703 Multiple Vulnerabilities ION7400, ION7x50, ION7700/73xx, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM8000 (see notification for affected versions) SEVD-2021-040-01
2021/01/12 EcoStruxure™ Operator Terminal Expert (Vijeo XD), Pro-face BLUE and WinGP runtime CVE-2020-7544 CWE-269 Improper Privilege Management (Notification Updated) • EcoStruxure™ Operator Terminal Expert Runtime 3.1 Service Pack 1A and prior • Pro-face BLUE Runtime 3.1 Service Pack 1A and prior • WinGP V4.09.120 • (See security notification for more details) SEVD-2020-315-02 (V2.0)
2021/01/12 Modicon M100/M200/M221 Programmable Logic Controllers (V3.0) CVE-2020-7565
CVE-2020-7566
CVE-2020-7567
CVE-2020-7568
CVE-2020-28214
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• CWE-311: Missing Encryption of Sensitive Data
• CWE-326: Inadequate Encryption Strength
• CWE-334: Small Space of Random Values
• CWE-760: Use of a One-Way Hash with a Predictable Salt
Modicon M100/M200/M221 (all references) (all versions) SEVD-2020-315-05 (V3.0) PDF
2020/12/08 EcoStruxure™ Geo SCADA Expert CVE-2020-28219 CWE-522: Insufficiently Protected Credentials • EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) • EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1) SEVD-2020-343-02
2020/12/08 Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium CVE-2020-7537, CVE-2020-7542, CVE-2020-7543 Multiple Vulnerabilities • Modicon M580 CPUs (BMEx58xxxxx prior to version 3.20) • Modicon M340 CPUs (BMX P34x prior to version 3.30) • Modicon Premium CPUs all versions –(SXP574634, TSXP575634, TSXP576634) • Modicon Quantum CPUs all versions (40CPU65xxxxx) SEVD-2020-343-08
2020/12/08 Modicon M258 Logic Controllers and SoMachine/ SoMachine Motion Software CVE-2020-28220 CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer • Modicon M258 Firmware (All versions prior to V5.0.4.11) • SoMachine/SoMachine Motion software (All versions) SEVD-2020-343-09
2020/12/08 Easergy T300  CVE-2020-7561, CVE-2020-28215, CVE-2020-28216, CVE-2020-28217, CVE-2020-28218 Multiple Vulnerabilities (Notification Updated) Easergy T300 with firmware 2.7 and older  SEVD-2020-315-06 (V2.0)
2020/12/08 Wibu-Systems CodeMeter Vulnerabilities CVE-2020-14509, CVE-2020-14513, CVE-2020-14515, CVE-2020-14517, CVE-2020-14519, CVE-2020-16233 Multiple Vulnerabilities - EcoStruxure Machine Expert (formerly known as SoMachine and SoMachine Motion) - E+PLC400 - E+PLC100 - E+PLC_Setup - EcoStruxure Machine SCADA Expert SEVD-2020-287-02 (V1.1)
2020/11/10 Interactive Graphical SCADA System (IGSS) CVE-2020-7550, CVE-2020-7551, CVE-2020-7552, CVE-2020-7553, CVE-2020-7554, CVE-2020-7555, CVE-2020-7556, CVE-2020-7557, CVE-2020-7558 Multiple Vulnerabilities IGSS Definition (Def.exe) version 14.0.0.20247 and prior SEVD-2020-315-03
2020/11/10 EcoStruxure Building Operation (EBO) CVE-2020-7569, CVE-2020-7570, CVE-2020-7571, CVE-2020-7572, CVE-2020-7573, CVE-2020-28209, CVE-2020-28210 Multiple Vulnerabilities • WebReports V1.9 - V3.1 WebStation (V2.0 - V3.1) • Enterprise Server installer (V1.9 - V3.1) • Enterprise Central installer (V2.0 - V3.1) SEVD-2020-315-04
2020/11/10 Trio Q and J Data Radios - Drovorub malware  Trio Q and J Data Radios  SESB-2020-315-01
2020/11/10 EcoStruxure™ Operator Terminal Expert (Vijeo XD)  CVE-2020-7493, CVE-2020-7494, CVE-2020-7495, CVE-2020-7496, CVE-2020-7497 Multiple Vulnerabilities EcoStruxure™ Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)  SEVD-2020-133-04 (V3.0)
2020/11/10 Modicon M218/M241/M251/M258 Logic Controllers SoMachine/SoMachine Motion EcoStruxure™ Machine Expert  CVE-2020-7487, CVE-2020-7488 Multiple Vulnerabilities All versions SEVD-2020-105-02 (V1.1)
2020/10/13 Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules CVE-2020-7533 CWE-255: Credentials Management - M340 CPUs - M340 Communication Ethernet modules - Premium processors with integrated Ethernet COPRO - Premium communication modules - Quantum processors with integrated Ethernet COPRO - Quantum communication modules SEVD-2020-287-01
2020/10/13 Smartlink, PowerTag, and Wiser Series Gateways CVE-2020-7548 CWE-330 - Use of Insufficiently Random Values - Acti9 Smartlink SI D all versions prior to 002.004.002 - Acti9 Smartlink SI B all versions prior to 002.004.002 - Acti9 PowerTag Link / Link HD all versions prior to 001.008.007 - Acti9 Smartlink EL B all versions prior to 1.2.1 - Wiser Link all versions prior to 1.5.0 - Wiser Energy all versions prior to 1.5.0 SEVD-2020-287-03
2020/10/13 EcoStruxure™ and SmartStruxure™ Power Monitoring and SCADA Software CVE-2020-7545, CVE-2020-7546, CVE-2020-7547 Multiple Vulnerabilities - EcoStruxure™ Power Monitoring Expert versions 9.0, 8.x, 7.x - EcoStruxure™ Energy Expert version 2.0 - Power Manager versions 1.1, 1.2, 1.3 - StruxureWare™ PowerSCADA Expert with Advanced Reporting and Dashboards Module versions 8.x - EcoStruxure™ Power SCADA Operation with Advanced Reporting and Dashboards Module version 9.0 SEVD-2020-287-04
2020/10/13 Netlogon Elevation of Privilege Vulnerability CVE-2020-1472 Multiple Vulnerabilities Elevation of privilege vulnerability SESB-2020-287-01
2020/10/13 Modbus Serial Driver CVE-2020-7523 CWE-269: Improper Privilege Management - Schneider Electric Modbus Serial Driver (64 bits) versions prior to V3.20 IE 30 - Schneider Electric Modbus Serial Driver (32 bits) versions prior to V2.20 IE 30 - Schneider Electric Modbus Driver Suite versions prior to V14.15.0.0 SEVD-2020-224-01 (V1.1)
2020/10/13 SCADAPack 7x Remote Connect and SCADAPack x70 Security Administrator CVE-2020-7528, CVE-2020-7529, CVE-2020-7530, CVE-2020-7531, CVE-2020-7532 Multiple Vulnerabilities SCADAPack 7x Remote Connect (V3.6.3.574 and prior) and SCADAPack x70 Security Administrator (V1.2.0 and prior) SEVD-2020-252-01 (V1.1)
2020/08/11 spaceLYnk and Wiser for KNX (formerly homeLYnk) CVE-2020-7525 CWE-307: Improper Restriction of Excessive Authentication Attempts All hardware versions of spaceLYnk and Wiser for KNX (formerly homeLYnk) SEVD-2020-224-02
2020/08/11 Modicon M218 Logic Controller CVE-2020-7524 CWE-787:Out-of-bounds Write Modicon M218 Logic Controller V5.0.0.7 and prior SEVD-2020-224-03
2020/08/11 APC Easy UPS On-Line Software CVE-2020-7521, CVE-2020-7522 Multiple Vulnerabilities SFAPV9601 - APC Easy UPS On-Line Software V2.0 and earlier SEVD-2020-224-04
2020/08/11 PowerChute Business Edition CVE-2020-7526 CWE-20: Improper Input Validation PowerChute Business Edition software V9.0.x and earlier SEVD-2020-224-05
2020/08/11 Harmony® eXLhoist CVE-2019-19193 Bluetooth Low Energy Vulnerability (SweynTooth) Harmony® eXLhoist base stations v04.00.02.00 and prior  SEVD-2020-224-06
2020/08/11 SoMove CVE-2020-7527 CWE-276: Incorrect Default Permission SoMove V2.8.1 and prior SEVD-2020-224-07
2020/08/11 Schneider Electric PACTware CVE-2020-9403, CVE-2020-9404 Multiple Vulnerabilities • Schneider Electric PACTware V5.0.5.30 and prior. • Schneider Electric PACTware V4.1 SP5 and prior. SEVD-2020-224-08
2020/08/11 Vijeo Designer and Vijeo Designer Basic CVE-2020-7501 CWE-798: Use of Hard-coded Credentials  Vijeo Designer Basic V1.1 HotFix 16 and prior , Vijeo Designer V6.9 SP9 and prior  SEVD-2020-133-02 (V1.1)
2020/08/11 Vijeo Designer and Vijeo Designer Basic  CVE-2020-7490  CWE-426: Untrusted Search Path  Vijeo Designer Basic (V1.1 HotFix 15 and prior) and Vijeo Designer (V6.2 SP9 and prior) SEVD-2020-105-03 (V1.2)
2020/07/14 Schneider Electric Software Update (SESU) CVE-2020-7520 CWE-601: URL Redirection to Untrusted Site ('Open Redirect') SESU V2.4.0 and earlier SEVD-2020-196-01
2020/06/23 Security Bulletin: Treck TCP/IP Vulnerabilities (Ripple20) CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, CVE-2020-11899, CVE-2020-11900, CVE-2020-11901, CVE-2020-11902, CVE-2020-11903, CVE-2020-11904, CVE-2020-11905, CVE-2020-11906, CVE-2020-11907, CVE-2020-11908, CVE-2020-11909, CVE-2020-11910, CVE-2020-11911, CVE-2020-11912, CVE-2020-11913, CVE-2020-11914 Multiple Vulnerabilities See Security Bulletin SESB-2020-168-01 (V2.0)
2020/06/23 Legacy Triconex Product Vulnerabilities CVE-2020-7483, CVE-2020-7484, CVE-2020-7485, CVE-2020-7486, CVE-2020-7491 Multiple Vulnerabilities See Security Bulletin SESB-2020-105-01 (V2.1)
2020/06/09 Modicon M218 Logic Controller CVE-2020-7502 CWE-787: Out-of-bounds Write Vulnerability Modicon M218 firmware version 4.3 and prior SEVD-2020-161-01
2020/06/09 Unity Loader and OS Loader Software CVE-2020-7498 CWE-798: Use of Hard-coded Credentials  Unity Loader - All versions OS Loader - All versions (used for legacy Modicon offers) SEVD-2020-161-02
2020/06/09 Modicon LMC078 Logic Controller CVE-2020-10664 NULL Pointer Dereference  Modicon LMC Logic Controller running with firmware version V1.51.15.05 and later SEVD-2020-161-03
2020/06/09 Easergy T300 CVE-2020-7503, CVE-2020-7504, CVE-2020-7505, CVE-2020-7506, CVE-2020-7507, CVE-2020-7508, CVE-2020-7509, CVE-2020-7510, CVE-2020-7511, CVE-2020-7512, CVE-2020-7513 Multiple Vulnerabilities Easergy T300 with firmware 1.5.2. and older SEVD-2020-161-04
2020/06/09 Easergy Builder CVE-2020-7514, CVE-2020-7515, CVE-2020-7516, CVE-2020-7517, CVE-2020-7518, CVE-2020-7519 Multiple Vulnerabilities Easergy Builder version 1.4.7.2 and older SEVD-2020-161-05
2020/06/09 GoAhead Web Server CVE-2015-7937 Stack-based buffer overflow  BMXNOC0401 (all versions prior to v2.09) BMXNOE0100 (all versions prior to v3.10) BMXNOE0100H (all versions prior to v3.10) BMXNOE0110 (all versions prior to v6.30) BMXNOE0110H (all versions prior to v6.30) BMXNOR0200 (all versions prior to v1.70) BMXNOR0200H (all versions prior to v1.70) BMXP342020 (all versions prior to v2.80) BMXP342020H (all versions prior to v2.80) BMXP342030 (all versions prior to v2.80) BMXP3420302 (all versions prior to v2.80) BMXP3420302H (all versions prior to v2.80) BMXPRA0100 (all versions prior to v2.80)  SEVD-2015-344-01 (V2.0)
2020/05/12 Pro-face GP-Pro EX Programming Software CVE-2020-7492 CWE-521: Weak Password Requirements  GP-Pro EX V1.00 to V4.09.100 SEVD-2020-133-01
2020/05/12 U.motion Servers and Touch Panels CVE-2020-7499, CVE-2020-7500 Multiple Vulnerabilities  All versions of: MTN6501-0001 – U.Motion – KNX Server, MTN6501-0002 – U.Motion – KNX Server Plus, MTN6260-0410 – U.Motion KNX server Plus, Touch 10, MTN6260-0415 – U.Motion KNX server Plus, Touch 15, MTN6260-0310 – U.Motion KNX Client Touch 10, MTN6260-0315 – U.Motion KNX Client Touch 15  SEVD-2020-133-03
2020/05/12 Andover Continuum System CVE-2020-7480, CVE-2020-7481, CVE-2020-7482 Multiple Vulnerabilities All Continuum versions are affected SEVD-2020-070-04 (2.1)
2020/05/12 Embedded Web Servers for Modicon CVE-2018-7804, CVE-2018-7809, CVE-2018-7810, CVE-2018-7811, CVE-2018-7812, CVE-2018-7830, CVE-2018-7831, CVE-2018-7833 Multiple Vulnerabilities All Modicon M340, Premium, Quantum PLCs, BMXNOR0200 controllers SESB-2018-327-01 (V3.2)
2020/04/14 Modicon M100/M200/M221 controllers, SoMachine Basic and EcoStruxure Machine Expert - Basic Programming Software  CVE-2020-7489  CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')  All versions SEVD-2020-105-01
2020/04/14 Modicon Controllers, EcoStruxure™Control Expert and Unity Pro Programming Software CVE-2019-6855  CWE-285  Improper Authorization EcoStruxure™ Control Expert: all versions prior to 14.1 Hot Fix, Unity Pro: all versions, Modicon M340: all versions prior to V3.20, Modicon M580: all versions prior to V3.10 SEVD-2019-344-02 (V2.0)
2020/03/10 IGSS (Interactive Graphical SCADA System) CVE-2020-7478, CVE-2020-7479 Multiple Vulnerabilities Versions 14 and prior using the service: IGSSupdate. SEVD-2020-070-01
2020/03/10 Modicon Quantum Ethernet Network module and Quantum / Premium COPRO CVE-2020-7477 CWE-754: Improper Check for Unusual or Exception Conditions Quantum Ethernet Network module 140NOE771x1, versions 7.0 and prior, Quantum processors with integrated Ethernet – 140CPU65xxxxx, all versions, Premium processors with integrated Ethernet, all versions SEVD-2020-070-02
2020/03/10 ZigBee Installation Toolkit CVE-2020-7476 CWE-426: Untrusted Search Path Versions prior to 1.0.1 SEVD-2020-070-03
2020/02/11 ProSoft Configurator for Modicon PMEPXM0100 (H) CVE-2020-7474 CWE-427: Uncontrolled Search Path Element ProSoft Configurator v1.002 and prior, for the PMEPXM0100 (H) module SEVD-2020-042-01
2020/02/11 U.motion Builder Software CVE-2018-7763, CVE-2018-7764, CVE-2018-7765, CVE-2018-7766, CVE-2018-7767, CVE-2018-7768, CVE-2018-7769, CVE-2018-7770, CVE-2018-7771, CVE-2018-7772, CVE-2018-7773, CVE-2018-7774, CVE-2018-7776, CVE-2018-7777, CVE-2018-7494 Security Notification Updated All versions prior to v1.3.4 SEVD-2018-095-01  (V1.2)
2020/01/28 EcoStruxure™ Operator Terminal Expert - Security Bulletin EcoStruxure™ Operator Terminal Expert software  SESB-2020-028-01
2020/01/14 MSX Configurator CVE-2019-6858 CWE-427:Uncontrolled Search Path Element Software Version prior to V1.0.8.1 SEVD-2020-014-01
Employee working at a control room with many screens in front

See all archived security notifications

See all

Need help?

Start here!

Find answers now. Search for a solution on your own, or connect with one of our experts.

Contact Support

Reach out to our customer care team to receive more information, technical support, assistance with complaints and more.

Where to buy?

Easily find the nearest Schneider Electric distributor in your location.

Browse FAQ

Get answers you need by browsing topic-related Frequently Asked Questions (FAQ).

Contact Sales

Start your sales inquiry online and an expert will connect with you.