CVE-2021-22764 Schneider Electric CVE debrief

Who should care

Organizations operating Schneider Electric PowerLogic PM55xx series power meters in industrial environments, particularly those with exposed or poorly segmented network connectivity. Critical infrastructure operators, facility management teams, and OT security practitioners should prioritize assessment and remediation.

Technical summary

The vulnerability stems from improper authentication mechanisms in the HTTP service of affected PowerLogic power meters. An attacker can send a specially crafted HTTP request without authentication, which subsequently causes loss of Modbus TCP protocol connectivity to the device. This represents a denial-of-service condition affecting industrial monitoring and control capabilities. The attack requires network access to the device but no user interaction or privileges.

Defensive priority

medium

Recommended defensive actions

• Apply vendor firmware updates: PM5560 and PM5563 to version 2.8.3 or later; PM5561 to version 10.7.3 or later; PM5562 to version 4.3.5 or later
• If immediate patching is not feasible, block HTTP access to affected devices at the firewall level
• Consider disabling HTTP web services on affected devices where functionality permits
• For PM8ECC devices (end-of-service), implement firewall rules to block HTTP access after commissioning is complete
• Apply defense-in-depth practices for industrial control systems per CISA guidance
• Monitor network traffic for anomalous HTTP requests targeting PowerLogic devices

Evidence notes

CISA CSAF advisory ICSA-24-331-01 documents this vulnerability with vendor confirmation from Schneider Electric. The advisory was originally published June 8, 2021, and updated November 12, 2024, to note remediation availability for PM5562. CVSS 3.1 score of 5.3 (MEDIUM) reflects network-based attack vector with low attack complexity, no privileges required, and availability impact only.

Official resources