CVE-2024-10497 Schneider Electric CVE debrief

Who should care

OT/ICS administrators, Schneider Electric Power Logic HDPM6000 operators, and security teams responsible for devices that allow HTTPS management access. Systems still on v0.62.7 or with management interfaces exposed beyond tightly controlled network segments deserve immediate attention.

Technical summary

According to the CISA CSAF advisory, CVE-2024-10497 is an authorization bypass through a user-controlled key in Schneider Electric Power Logic HDPM6000 v0.62.7. The attacker must already be authorized, but can send modified HTTPS requests that cause the device to accept changes outside the privileges granted to that user. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network reachability, low privileges, no user interaction, and high impact to confidentiality, integrity, and availability.

Defensive priority

High. The vulnerability is network-reachable, requires only low privileges, and is rated 8.8 HIGH with high CIA impact. Prioritize patching affected devices and hardening management-plane access.

Recommended defensive actions

• Upgrade Schneider Electric Power Logic HDPM6000 from v0.62.7 to v0.62.11 or newer.
• If you cannot patch immediately, ensure HTTPS access is not available outside the local network segment by applying firewall rules and network access controls.
• Protect the management network segment so only authorized administrative systems can reach the device.
• Account for the reboot requirement during firmware updates: a restart occurs when updating through the web UI, and manual restart is needed when upgrading with HDPM6000 Manager software.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-25-028-02 and the referenced Schneider Electric remediation guidance. The supplied advisory data identifies Schneider Electric Power Logic HDPM6000 v0.62.7 as affected and lists v0.62.11 and newer as fixed. The supplied enrichment does not mark this CVE as a KEV item.

Official resources