PatchSiren cyber security CVE debrief
CVE-2021-22763 Schneider Electric CVE debrief
CVE-2021-22763 is a HIGH severity vulnerability (CVSS 3.1: 8.1) in Schneider Electric PowerLogic PM55xx series power meters and PM8ECC communication modules. The weakness (CWE-640: Weak Password Recovery Mechanism for Forgotten Password) allows an unauthenticated attacker to gain administrator-level access to affected devices. Originally published on 2021-06-08, the advisory was updated on 2024-11-12 to note that remediation is now available for the PM5562 model. Affected products include PM5560, PM5561, PM5562, PM5563, and PM8ECC devices running firmware versions prior to patched releases. The PM8ECC has reached end-of-service with no patch available.
- Vendor
- Schneider Electric
- Product
- PowerLogic PM5560 Versions prior to v2.7.8
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2021-06-08
- Original CVE updated
- 2024-11-12
- Advisory published
- 2021-06-08
- Advisory updated
- 2024-11-12
Who should care
Organizations operating Schneider Electric PowerLogic PM55xx series power meters (PM5560, PM5561, PM5562, PM5563) or PM8ECC communication modules in industrial, commercial, or utility environments. Critical infrastructure operators, building automation teams, and energy management system administrators should prioritize patching or implementing network-level mitigations.
Technical summary
The vulnerability exists in the password recovery mechanism of affected PowerLogic devices. An attacker can exploit the weak recovery implementation to reset or recover administrative credentials without proper authentication, resulting in unauthorized administrator-level access. The attack requires network access to the device's HTTP interface but does not require prior authentication or user interaction. Successful exploitation grants full control over the device configuration and operational parameters.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade PowerLogic PM5560 and PM5563 to firmware version 2.8.3 or later
- Upgrade PowerLogic PM5561 to firmware version 10.7.3 or later
- Upgrade PowerLogic PM5562 to firmware version 4.3.5 or later
- For PM8ECC (end-of-service, no patch): block HTTP access at the firewall level after commissioning is complete
- If patching is not immediately feasible: block HTTP access to affected devices at the firewall level or disable the HTTP web service
- Apply CISA ICS recommended practices for defense-in-depth security controls
- Monitor for unauthorized administrative access attempts to affected power meter devices
Evidence notes
The vulnerability was disclosed in CISA advisory ICSA-24-331-01, which references Schneider Electric security notice SEVD-2021-159-02. The advisory was originally released on 2021-06-08 and updated on 2024-11-12 to add remediation for PM5562. CVSS vector confirms network attack vector with high attack complexity but no required privileges or user interaction, leading to complete confidentiality, integrity, and availability impact.
Official resources
-
CVE-2021-22763 CVE record
CVE.org
-
CVE-2021-22763 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2021-06-08