PatchSiren cyber security CVE debrief
CVE-2024-10083 Schneider Electric CVE debrief
CVE-2024-10083 is an improper input validation issue in Schneider Electric’s Uni-Telway driver. According to the advisory, a local authenticated user can invoke a specific driver interface with crafted input and cause denial of service on an engineering workstation. The affected scope includes the Uni-Telway driver itself and several Schneider Electric products when that driver is installed: EcoStruxure Control Expert, EcoStruxure Process Expert, EcoStruxure Process Expert for AVEVA System Platform, and OPC Factory Server. The vendor guidance focuses on removing the driver where it is not needed and applying workstation hardening controls where it must remain in use.
- Vendor
- Schneider Electric
- Product
- Uni-Telway driver
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-11
- Original CVE updated
- 2026-02-24
- Advisory published
- 2025-02-11
- Advisory updated
- 2026-02-24
Who should care
OT/ICS operators, industrial engineering workstation administrators, and security teams responsible for Schneider Electric environments that use or bundle the Uni-Telway driver—especially installations of EcoStruxure Control Expert, EcoStruxure Process Expert, EcoStruxure Process Expert for AVEVA System Platform, or OPC Factory Server.
Technical summary
The source advisory describes a CWE-20 improper input validation flaw in the Uni-Telway driver. A locally authenticated user can supply crafted input to a specific driver interface and trigger a denial of service on the engineering workstation. The impact described is availability-only; the supplied CVSS vector reflects local access, low attack complexity, low privileges, no user interaction, and high availability impact. The advisory also states that only customers who have installed the Uni-Telway driver are affected.
Defensive priority
Prioritize mitigation for any engineering workstation that uses the Uni-Telway driver, because the impact is a workstation denial of service and the attack requires only local authenticated access. If the driver is not required, removal is the preferred action; if it is required, apply the vendor’s hardening and application-control guidance promptly.
Recommended defensive actions
- Inventory Schneider Electric deployments to determine whether the Uni-Telway driver is installed on any affected workstation or product.
- If the Uni-Telway driver is not required, uninstall it as recommended by Schneider Electric.
- If the driver must remain in use, apply the vendor’s mitigations, including McAfee Application and Change Control for application control and the recommended workstation, network, and site-hardening guidance.
- Review whether your environment uses EcoStruxure Control Expert 16.2, EcoStruxure Process Expert 2025, or OPC Factory Server 3.63SP3, since these versions do not include the Uni-Telway driver by default anymore.
- Limit access to engineering workstations to authorized users only and monitor for unexpected crashes, hangs, or service interruption affecting workstation availability.
Evidence notes
Primary facts are drawn from the CISA CSAF advisory ICSA-25-070-01 and the linked Schneider Electric security notice for SEVD-2025-042-02. The source record shows initial publication on 2025-02-11 and multiple later republutions/updates through 2026-02-24, including mitigation and advisory-title updates. The corpus states that only customers who have installed the Uni-Telway driver are affected.
Official resources
-
CVE-2024-10083 CVE record
CVE.org
-
CVE-2024-10083 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory on 2025-02-11, with subsequent advisory updates/republications through 2026-02-24. This debrief is limited to defensive impact and vendor-guided mitigation information.