CVE-2016-8374 Schneider Electric CVE debrief

Who should care

OT/ICS operators, Schneider Electric Magelis HMI owners, plant engineers, and defenders responsible for exposed web management interfaces or web servers on the affected panel families.

Technical summary

NVD classifies the issue as CWE-400 (Uncontrolled Resource Consumption) with CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The affected scope in the supplied record spans Magelis GTO Advanced Optimum Panels, Magelis GTU Universal Panel, Magelis STO5xx and STU Small panels, Magelis XBT GH Advanced Hand-held Panels, Magelis XBT GK Advanced Touchscreen Panels with Keyboard, Magelis XBT GT Advanced Touchscreen Panels, and Magelis XBT GTW Advanced Open Touchscreen Panels. The impact described is denial of service against a targeted web server due to resource exhaustion.

Defensive priority

High. The issue is remotely reachable, requires no privileges or user action, and has high availability impact. For OT environments, even a temporary web-service outage can affect monitoring, maintenance, or operator workflows, so exposure reduction and vendor guidance review should be prioritized.

Recommended defensive actions

• Identify all Schneider Electric Magelis devices in the affected families and confirm whether their web-facing services are exposed on production or remote-access networks.
• Review Schneider Electric and ICS-CERT advisory guidance for CVE-2016-8374, including ICSA-16-308-02, and apply any vendor-recommended mitigation or firmware update path.
• Restrict access to device web interfaces to trusted management networks and remove unnecessary exposure from routable or internet-reachable segments.
• Monitor for unusual resource usage or repeated requests against panel web services that could indicate a denial-of-service condition.
• Document operational fallback procedures so that a loss of web-server availability does not interrupt critical monitoring or maintenance tasks.

Evidence notes

The supplied record states that an attacker may disrupt a targeted web server through uncontrolled resource consumption, resulting in denial of service. NVD marks the weakness as CWE-400 and assigns CVSS 7.5 HIGH with a network/no-auth/no-user-interaction vector. References in the NVD record include the US-CERT/ICS-CERT advisory ICSA-16-308-02 and SecurityFocus BID 94093. The affected product families are listed in the CVE description and corresponding NVD CPE entries. No Known Exploited Vulnerabilities listing was provided in the corpus.

Official resources