CVE-2024-10575 (CVSS 10): Critical Flaw in Schneider Electric’s EcoStruxure IT Gateway

CVE-2024-10575

Schneider Electric has published a security notification about a critical vulnerability in its EcoStruxure™ IT Gateway platform, which connects IT infrastructure devices to the cloud for monitoring and analysis. The vulnerability, identified as CVE-2024-10575, could allow unauthorized access to the Gateway, potentially compromising the system’s control and data integrity.

Schneider Electric warns that “failure to apply the fix…may risk unauthorized access to EcoStruxure™ IT Gateway,” leading to exposure of sensitive data and possible control over connected devices.

With a CVSS v4.0 score of 10.0, this missing authorization vulnerability is classified as critical. It impacts versions 1.21.0.6, 1.22.0.3, 1.22.1.5, and 1.23.0.4. To address this, Schneider Electric has released version 1.23.1.10, which patches the flaw and is available for download. They recommend enabling automatic updates to ensure ongoing security.

For those unable to immediately update, Schneider advises mitigating the risk by isolating the Gateway on protected networks, using a local firewall to restrict remote access to the web API, and removing any potentially compromised versions before installing the update.

Related Posts: