CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Unpatched Flaws in Schneider Electric U.motion Builder Disclosed

The details of several vulnerabilities affecting Schneider Electric’s U.motion Builder software have been disclosed before the vendor released any patches.

The details of several vulnerabilities affecting Schneider Electric’s U.motion Builder software have been disclosed before the vendor released any patches.

Schneider Electric’s U.motion is a building automation solution used around the world mainly in the commercial facilities, critical manufacturing and energy sectors. U.motion Builder is a tool that allows users to create projects for their U.motion devices.

Security researcher Andrea Micalizzi, also known as “rgod,” discovered that the U.motion Builder software, version 1.2.1 and prior, is affected by several vulnerabilities, including ones rated critical and high severity.

Advisories published by ICS-CERT and the vendor describe the flaws as SQL injection, path traversal, authentication bypass, hardcoded password, improper access control, information disclosure, and denial-of-service (DoS) issues.

An attacker can exploit the security holes to execute arbitrary code and commands, steal files, gain access to the system with high privileges, obtain information, and cause a DoS condition – in some cases even without authentication.

The security holes were reported by Micalizzi to Schneider via Zero Day Initiative (ZDI) and ICS-CERT in March 2016. Several months later, the vendor said it was expecting a patch to become available by the end of the year.

Since fixes still haven’t been released, ZDI has made public more than 20 advisories detailing each of the vulnerabilities found by the researcher in U.motion Builder. The advisories include details, such as affected file and parameter, that could allow malicious actors to exploit the flaws.

Schneider Electric has now promised to release an update by the end of August and instructed customers to apply the patch as soon as it becomes available. In the meantime, the company has advised users to place the affected software behind a firewall, ensure that the machine hosting the software is not connected to the Web, use application whitelisting and access control features, and ensure that remote access is only possible over a trusted VPN.

Advertisement. Scroll to continue reading.

This is not the first time researchers have decided to disclose unpatched flaws affecting Schneider products after the vendor’s failure to release patches or provide any status updates.

In April, experts disclosed two weaknesses affecting Schneider PLCs. The vendor admitted making a mistake in that case, but it seems it was not an isolated incident.

ICS-CERT has also published a couple of advisories this week detailing critical flaws in Siemens’ Viewport for Web Office Portal, SIMATIC, SINUMERIK and SIMOTION products.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference

Related: Schneider Electric Patches Flaws in ClearSCADA, Wonderware Products

Related: Schneider Patches Flaws in VAMPSET, SoMachine Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.