Connect with us

Hi, what are you looking for?



Security Firm Discloses Unpatched Flaws in Schneider HMI Product

A cybersecurity startup has disclosed a couple of unpatched denial-of-service (DoS) vulnerabilities affecting a human-machine interface (HMI) product from Schneider Electric.

A cybersecurity startup has disclosed a couple of unpatched denial-of-service (DoS) vulnerabilities affecting a human-machine interface (HMI) product from Schneider Electric.

CRITIFENCE, a company that specializes in security solutions for industrial control systems (ICS), reported on Tuesday that Eran Goldstein, its CTO and founder, in April discovered two serious flaws in Schneider Electric Magelis HMI panels.

The affected devices allow operators and process engineers to monitor and manage industrial facilities. Users can configure the products with the Vijeo Designer software.

The security holes, dubbed “PanelShock” and tracked as CVE-2016-8367 and CVE-2016-8374, allow attackers to cause the devices to enter a DoS condition by sending specially crafted HTTP requests. According to the security firm, the issues are caused by improper implementation of HTTP request methods and resource consumption management mechanisms.

“The use cases identified demonstrate the ability to generate a freeze condition on the HMI, that can lead to a denial of service due to incomplete error management of HTTP requests in the Web Gate Server,” Schneider Electric said in an advisory. “While under attack via a malicious HTTP request, the HMI may be rendered unable to manage communications due to high resource consumption. This can lead to a loss of communication s with devices such as Programmable Logic Controllers (PLCs), and require reboot of the HMI in order to recover.”

The PanelShock vulnerabilities affect Magelis GTO, GTU, STO, STU and XBT panels. Schneider Electric has yet to release patches, but it has provided recommendations on how to mitigate possible attacks. The energy management giant has classified the flaws as high severity, but pointed out that the attacks described by CRITIFENCE only work if the Web Gate Server, which is disabled by default, is active.

The vendor has informed users of Magelis GTO Advanced Optimum and GTU Universal panels that a new version of the Vijeo Designer software, one that will not include these vulnerabilities, will be released in March 2017.

Advertisement. Scroll to continue reading.

The flaws can be exploited remotely even by an attacker with low skill and the publicly available information is sufficient for developing an exploit. CRITIFENCE has published a free tool that allows users to check their devices for these types of vulnerabilities and a video that shows how an attack works:

Last week, at SecurityWeek’s 2016 ICS Cyber Security Conference, researchers from Indegy and CyberX reported finding some serious vulnerabilities in Schneider’s Unity Pro software platform and its ConneXium industrial firewalls.

Related: ICS-CERT Issues Alerts After Expert Discloses Power Meter Flaws

Related: U.S. Has Most Internet Connected Industrial Control Systems

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.