Summary: Schneider Electric has issued a critical security notification regarding a vulnerability (CVE-2024-8884) in the System Monitor application of their Harmony Industrial PC Series and Pro-face PS5000 Legacy Industrial PC Series, which could expose sensitive information and lead to operational failures. With a CVSS v3.1 score of 9.8, this flaw could allow unauthorized access to credentials over an unsecured HTTP connection, posing significant risks to organizations.
Threat Actor: Unknown | unknown
Victim: Schneider Electric customers | Schneider Electric
Key Point :
- The vulnerability allows unauthorized access to sensitive information via an unsecured HTTP connection.
- Organizations face risks of denial of service (DoS) attacks and potential operational failures if the flaw is not addressed.
- Schneider Electric recommends uninstalling the System Monitor application as a remediation strategy.
- Testing the uninstallation process in safe environments is advised to prevent disruptions in production.
Schneider Electric has issued a security notification concerning a critical vulnerability in the System Monitor application of their Harmony Industrial PC Series and Pro-face PS5000 Legacy Industrial PC Series. The vulnerability tracked as CVE-2024-8884, has been assigned a CVSS v3.1 score of 9.8, making it a critical threat that could expose sensitive information and potential operational failures if left unpatched.
The vulnerability exists in the System Monitor application used within these industrial PCs, which are known for their slim and durable design, offering flexible connectivity for industrial environments. The critical flaw arises from the exposure of sensitive information to unauthorized actors over an unsecured HTTP connection. Specifically, it could allow an attacker to gain access to credentials if they can interact with the application over a network.
This exposure puts organizations at significant risk of denial of service (DoS) attacks, sensitive data leaks, and potential integrity issues, which could ultimately lead to operational failures in critical industrial environments.
The CVE-2024-8884 vulnerability affects all versions of the System Monitor application in the following products:
- Harmony Industrial PC Series: HMIBMO/HMIBMI/HMIPSO/HMIBMP/HMIBMU/HMIPSP/HMIPEP
- Pro-face PS5000 Legacy Industrial PC Series
Both product lines are widely used in industrial settings for monitoring and managing production systems, making the threat particularly concerning for companies relying on Schneider Electric’s solutions to ensure seamless operation in their facilities.
Schneider Electric has provided a detailed remediation strategy for customers affected by this vulnerability. The recommended solution is to uninstall the System Monitor application.
Schneider Electric also strongly advises customers to follow industry best practices, including testing the uninstallation process in Test and Development environments or offline infrastructures to avoid unintended disruptions to production.