Schneider Electric informed customers last week that the latest version of its U.motion Builder software patches a total of 16 vulnerabilities, including ones rated critical and high severity.
U.motion is a building automation solution used around the world in the commercial facilities, critical manufacturing and energy sectors. U.motion Builder is a tool that allows users to create projects for their U.motion devices.
Researchers discovered that the Builder software is affected by 16 vulnerabilities, including path traversals and other bugs that can lead to information disclosure, and remote code execution flaws via SQL injection.
A majority of the security holes have been classified as medium severity, but some of them are more serious based on their CVSS score.
The most severe, with a CVSS score of 10, actually impacts the Samba software suite. The flaw allows remote code execution and it has been dubbed “SambaCry” by some members of the industry due to similarities to the WannaCry attack. The vulnerability, tracked as CVE-2017-7494, has been found to impact devices from several major vendors, including Cisco, Netgear, QNAP, Synology, Veritas, Sophos and F5 Networks.
Another serious vulnerability in U.motion Builder, identified as CVE-2018-7777, allows an authenticated attacker to remotely execute arbitrary code by sending specially crafted requests to the targeted server. One of the SQL injection flaws, CVE-2018-7765, has also been classified as high severity.
Learn More at SecurityWeek’s ICS Cyber Security Conference
Most of these weaknesses were reported to Schneider by researcher Andrea Micalizzi, also known as “rgod,” and one was disclosed to the company by Constantin-Cosmin Craciun.
The issues affect U.motion Builder versions prior to 1.3.4, which Schneider released in early February. In addition to providing patches, the company has shared some recommendations for mitigating potential attacks.
This is not the first time Micalizzi has been credited for finding vulnerabilities in U.motion Builder. Last year, ICS-CERT reported that the researcher had found half a dozen types of flaws in this software. Those issues were disclosed in late June 2017 before patches were made available by Schneider as they were reported to the vendor via Trend Micro’s Zero Day Initiative (ZDI) more than one year earlier.
Related: Schneider Electric Patches Flaws in Pelco Video Management System
Related: Schneider Electric Patches Several Flaws in IGSS Products

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
