Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Schneider Electric Patches Flaw in Pelco Video Management Software

Energy management company Schneider Electric has released a patch to address a serious vulnerability affecting Pelco DS-NVs, a video management software used worldwide in the commercial facilities industry and other sectors.

Pelco by Schneider Electric

Energy management company Schneider Electric has released a patch to address a serious vulnerability affecting Pelco DS-NVs, a video management software used worldwide in the commercial facilities industry and other sectors.

Pelco by Schneider Electric

Security researchers Ariele Caltabiano and Andrea Micalizzi discovered that the product is plagued by a high severity buffer overflow vulnerability that can be exploited by a remote attacker for arbitrary code execution. The experts reported their findings to Schneider Electric through HP’s Zero Day Initiative (ZDI), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said in an advisory.

The flaw, which exists in a DLL file used by the product, has been assigned the CVE-2015-0982 identifier and a CVSS base score of 7.5.

The bug affects Pelco DS-NVs version 7.6.32 and earlier, and it can be exploited even by an attacker with low skill. Schneider Electric has released version 7.8.90 of the product to resolve the vulnerability.

“Schneider Electric would like to thank Ariele Caltabiano (kimiya) and Andrea Micalizzi (rgod) working with HP’s Zero Day Initiative for their discovery and cooperation during this vulnerability disclosure process,” Schneider wrote in its own advisory.

ICS-CERT says it’s unaware of public exploits specifically targeting this vulnerability.

This isn’t the first patch released by Schneider Electric this year. In January, the company released software updates to address vulnerabilities in Wonderware InTouch Access Anywhere Server. Last month, the energy giant fixed vulnerabilities affecting Invensys SRD Control Valve Positioners, InduSoft Web Studio, and the the InTouch Machine Edition 2014 product line.

Register Your Interest to Get the Latest Updates for the 2015 ICS Cyber Security Conference

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.