The details of several vulnerabilities affecting Schneider Electric’s U.motion Builder software have been disclosed before the vendor released any patches.
Schneider Electric’s U.motion is a building automation solution used around the world mainly in the commercial facilities, critical manufacturing and energy sectors. U.motion Builder is a tool that allows users to create projects for their U.motion devices.
Security researcher Andrea Micalizzi, also known as “rgod,” discovered that the U.motion Builder software, version 1.2.1 and prior, is affected by several vulnerabilities, including ones rated critical and high severity.
Advisories published by ICS-CERT and the vendor describe the flaws as SQL injection, path traversal, authentication bypass, hardcoded password, improper access control, information disclosure, and denial-of-service (DoS) issues.
An attacker can exploit the security holes to execute arbitrary code and commands, steal files, gain access to the system with high privileges, obtain information, and cause a DoS condition – in some cases even without authentication.
The security holes were reported by Micalizzi to Schneider via Zero Day Initiative (ZDI) and ICS-CERT in March 2016. Several months later, the vendor said it was expecting a patch to become available by the end of the year.
Since fixes still haven’t been released, ZDI has made public more than 20 advisories detailing each of the vulnerabilities found by the researcher in U.motion Builder. The advisories include details, such as affected file and parameter, that could allow malicious actors to exploit the flaws.
Schneider Electric has now promised to release an update by the end of August and instructed customers to apply the patch as soon as it becomes available. In the meantime, the company has advised users to place the affected software behind a firewall, ensure that the machine hosting the software is not connected to the Web, use application whitelisting and access control features, and ensure that remote access is only possible over a trusted VPN.
This is not the first time researchers have decided to disclose unpatched flaws affecting Schneider products after the vendor’s failure to release patches or provide any status updates.
In April, experts disclosed two weaknesses affecting Schneider PLCs. The vendor admitted making a mistake in that case, but it seems it was not an isolated incident.
ICS-CERT has also published a couple of advisories this week detailing critical flaws in Siemens’ Viewport for Web Office Portal, SIMATIC, SINUMERIK and SIMOTION products.
Related: Learn More at SecurityWeek’s ICS Cyber Security Conference
Related: Schneider Electric Patches Flaws in ClearSCADA, Wonderware Products
Related: Schneider Patches Flaws in VAMPSET, SoMachine Products

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
- Apple Patches Exploited iOS Vulnerability in Old iPhones
- FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist
Latest News
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
