CVE-2024-8884 (CVSS 9.8): Critical Flaw Exposes Schneider Electric Industrial PCs to Attack

CVE-2024-8884 & CVE-2024-11737

Schneider Electric has issued a security notification concerning a critical vulnerability in the System Monitor application of their Harmony Industrial PC Series and Pro-face PS5000 Legacy Industrial PC Series. The vulnerability tracked as CVE-2024-8884, has been assigned a CVSS v3.1 score of 9.8, making it a critical threat that could expose sensitive information and potential operational failures if left unpatched.

The vulnerability exists in the System Monitor application used within these industrial PCs, which are known for their slim and durable design, offering flexible connectivity for industrial environments. The critical flaw arises from the exposure of sensitive information to unauthorized actors over an unsecured HTTP connection. Specifically, it could allow an attacker to gain access to credentials if they can interact with the application over a network.

This exposure puts organizations at significant risk of denial of service (DoS) attacks, sensitive data leaks, and potential integrity issues, which could ultimately lead to operational failures in critical industrial environments.

The CVE-2024-8884 vulnerability affects all versions of the System Monitor application in the following products:

  • Harmony Industrial PC Series: HMIBMO/HMIBMI/HMIPSO/HMIBMP/HMIBMU/HMIPSP/HMIPEP
  • Pro-face PS5000 Legacy Industrial PC Series

Both product lines are widely used in industrial settings for monitoring and managing production systems, making the threat particularly concerning for companies relying on Schneider Electric’s solutions to ensure seamless operation in their facilities.

Schneider Electric has provided a detailed remediation strategy for customers affected by this vulnerability. The recommended solution is to uninstall the System Monitor application.

Schneider Electric also strongly advises customers to follow industry best practices, including testing the uninstallation process in Test and Development environments or offline infrastructures to avoid unintended disruptions to production.

Related Posts: