Security Experts:

Connect with us

Hi, what are you looking for?



Schneider Relay Flaws Can Allow Hackers to Disable Electrical Network Protections

Vulnerabilities discovered by researchers in some of Schneider Electric’s Easergy relays can allow hackers to disable protections for electrical networks. The vendor has released patches that should address the security flaws.

Vulnerabilities discovered by researchers in some of Schneider Electric’s Easergy relays can allow hackers to disable protections for electrical networks. The vendor has released patches that should address the security flaws.

Three high-severity vulnerabilities have been found in Easergy medium-voltage protection relays — two impact Easergy P5 devices and one affects Easergy P3 devices. Schneider Electric informed customers about these vulnerabilities in January and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory last week.

Vulnerabilities found in Schneider Easergy protection relaysAccording to the advisories from Schneider and CISA, P3 relays are affected by a buffer overflow (CVE-2022-22725) that can lead to arbitrary code execution or a denial-of-service (DoS) condition if specially crafted packets are sent to the targeted device over the network.

An attacker could exploit the security hole to cause the relay to reboot, or they can gain full control of the device.

Easergy P5 relays are also affected by a buffer overflow (CVE-2022-22723) that can allow an attacker to cause program crashes and achieve code execution using specially crafted packets sent over the network. These devices also have hardcoded credentials (CVE-2022-22722) that can pose a security risk.

“If an attacker were to obtain the SSH cryptographic key for the device and take active control of the local operational network connected to the product they could potentially observe and manipulate traffic associated with product configuration,” Schneider explained.

The vendor warned in its advisories that exploitation could “result in loss of protection to your electrical network.”

Schneider Electric has credited several researchers from embedded security solutions provider Red Balloon Security for reporting the vulnerabilities.

Ang Cui, CEO at Red Balloon Security, told SecurityWeek that the affected relays are typically not exposed to the internet, and even if internet-exposed systems are found, they are likely used for demonstration purposes, rather than real-world applications.

“However, multiple cases have shown enterprise systems, remote access systems and industrial control rooms can be reached from the internet via phishing, discovered remote access credentials, and other attacks. From the control room, it is an easy, direct step to these relays,” Cui explained.

He added, “In addition, since substations are so distributed and numerous, maintaining physical security for all of them can be challenging. This means attackers could still take a more conventional approach and breach a physical security perimeter to access the relays directly.”

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference

According to Cui, an attacker whose goal is to disrupt a large plant or the electrical grid could acquire such an Easergy relay for a few thousand dollars and analyze it in an effort to find vulnerabilities. Once they have identified flaws that they can exploit, hackers can try to gain access to the grid or plant network through established methods, such as spear-phishing or by acquiring access from specialized access brokers.

“Once able to access and compromise actual devices in the field, an attacker could disable the power supply or disrupt it in a way that causes damage to other equipment (for example, by causing backup power to rapidly cycle on and off),” Cui said. “Alternatively, they could disable the protection functions, thereby removing the protections needed in the event of a storm or the failure of another connected device (such as a transformer overload). In either case, the attacker could inflict considerable damage, and greatly increase the time and cost needed to repair systems after a fault.”

Related: Critical Vulnerability Can Be Exploited to Hack Schneider Electric’s Modicon PLCs

Related: ICS Patch Tuesday: Siemens, Schneider Electric Address Nearly 50 Vulnerabilities

Related: Another Stuxnet-Style Vulnerability Found in Schneider Electric Software

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.