PatchSiren cyber security CVE debrief
CVE-2016-8354 Schneider Electric CVE debrief
CVE-2016-8354 describes a code-execution flaw in Schneider Electric Unity PRO where Unity projects compiled as x86 instructions can be loaded into the bundled PLC Simulator and executed directly. A specially crafted patched Unity project file can redirect control flow so the simulator runs malicious code. The issue was published on 2017-02-13 and is associated with Unity PRO versions prior to V11.1, with NVD’s CPE data indicating vulnerability through 11.0.
- Vendor
- Schneider Electric
- Product
- CVE-2016-8354
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-13
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-13
- Advisory updated
- 2026-05-13
Who should care
Organizations using Schneider Electric Unity PRO, especially teams that develop, test, or validate PLC logic in the Unity PLC Simulator. OT security teams and engineers responsible for engineering workstation hardening and project-file handling should treat this as relevant because the attack path depends on local interaction with a crafted project file.
Technical summary
NVD maps the weakness to CWE-94 and rates the vector as AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The core issue is that Unity projects may be compiled as x86 instructions and then executed by the PLC Simulator; a maliciously patched project file can alter control flow and cause arbitrary code execution in the simulator context. The official data places affected Unity PRO versions below V11.1, while the NVD CPE range marks versions up to 11.0 as vulnerable.
Defensive priority
High for affected engineering workstations and simulator environments, because successful exploitation can lead to code execution with significant confidentiality, integrity, and availability impact, even though the attack requires local access and user interaction.
Recommended defensive actions
- Verify whether Schneider Electric Unity PRO is installed and whether any systems are running versions prior to V11.1.
- Treat Unity project files from untrusted or unexpected sources as high risk and restrict who can open or modify them.
- Limit access to engineering workstations used for PLC development and simulator use.
- Apply the vendor remediation or upgrade path referenced by Schneider Electric and confirm the environment is on a fixed version.
- Monitor for unexpected simulator crashes, abnormal project-file changes, or unauthorized use of Unity PRO on engineering assets.
- Review backup, integrity, and change-control processes for Unity project files before testing or deployment.
Evidence notes
This debrief is based only on the supplied NVD record and linked official references. The published CVE date used here is 2017-02-13, not the later modification date. Version scope is taken from the supplied description and NVD CPE criteria, which together indicate exposure before V11.1 and through 11.0. External references listed by NVD include ICS-CERT advisory ICSA-16-306-03 and SecurityFocus BID 93830.
Official resources
-
CVE-2016-8354 CVE record
CVE.org
-
CVE-2016-8354 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, US Government Resource
Publicly disclosed on 2017-02-13. The record was modified on 2026-05-13, but that modification date does not change the original CVE publication date.