Security Experts:

Connect with us

Hi, what are you looking for?



Unpatched Flaws in Schneider Electric U.motion Builder Disclosed

The details of several vulnerabilities affecting Schneider Electric’s U.motion Builder software have been disclosed before the vendor released any patches.

The details of several vulnerabilities affecting Schneider Electric’s U.motion Builder software have been disclosed before the vendor released any patches.

Schneider Electric’s U.motion is a building automation solution used around the world mainly in the commercial facilities, critical manufacturing and energy sectors. U.motion Builder is a tool that allows users to create projects for their U.motion devices.

Security researcher Andrea Micalizzi, also known as “rgod,” discovered that the U.motion Builder software, version 1.2.1 and prior, is affected by several vulnerabilities, including ones rated critical and high severity.

Advisories published by ICS-CERT and the vendor describe the flaws as SQL injection, path traversal, authentication bypass, hardcoded password, improper access control, information disclosure, and denial-of-service (DoS) issues.

An attacker can exploit the security holes to execute arbitrary code and commands, steal files, gain access to the system with high privileges, obtain information, and cause a DoS condition – in some cases even without authentication.

The security holes were reported by Micalizzi to Schneider via Zero Day Initiative (ZDI) and ICS-CERT in March 2016. Several months later, the vendor said it was expecting a patch to become available by the end of the year.

Since fixes still haven’t been released, ZDI has made public more than 20 advisories detailing each of the vulnerabilities found by the researcher in U.motion Builder. The advisories include details, such as affected file and parameter, that could allow malicious actors to exploit the flaws.

Schneider Electric has now promised to release an update by the end of August and instructed customers to apply the patch as soon as it becomes available. In the meantime, the company has advised users to place the affected software behind a firewall, ensure that the machine hosting the software is not connected to the Web, use application whitelisting and access control features, and ensure that remote access is only possible over a trusted VPN.

This is not the first time researchers have decided to disclose unpatched flaws affecting Schneider products after the vendor’s failure to release patches or provide any status updates.

In April, experts disclosed two weaknesses affecting Schneider PLCs. The vendor admitted making a mistake in that case, but it seems it was not an isolated incident.

ICS-CERT has also published a couple of advisories this week detailing critical flaws in Siemens’ Viewport for Web Office Portal, SIMATIC, SINUMERIK and SIMOTION products.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference

Related: Schneider Electric Patches Flaws in ClearSCADA, Wonderware Products

Related: Schneider Patches Flaws in VAMPSET, SoMachine Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.