PatchSiren cyber security CVE debrief
CVE-2024-10575 Schneider Electric CVE debrief
A critical missing authorization vulnerability (CWE-862) in Schneider Electric EcoStruxure™ IT Gateway versions 1.21.0.6 through 1.23.0.4 allows unauthorized network access that could impact connected devices. The vulnerability was disclosed on November 12, 2024, with a CVSS 3.1 score of 9.8 (Critical). Schneider Electric has released version 1.23.1.10 to address this issue. Customers with automatic updates enabled receive the fix automatically; others must manually upgrade. Prior versions are not affected.
- Vendor
- Schneider Electric
- Product
- EcoStruxure™ IT Gateway
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-12
- Original CVE updated
- 2024-11-12
- Advisory published
- 2024-11-12
- Advisory updated
- 2024-11-12
Who should care
Organizations operating Schneider Electric EcoStruxure™ IT Gateway versions 1.21.0.6 through 1.23.0.4 in production environments, particularly those with network-exposed Gateway deployments. Critical infrastructure operators, data center managers, and industrial facility security teams relying on EcoStruxure™ IT for environmental monitoring and device management should prioritize this patch. Organizations with automatic updates disabled or manual update processes must take immediate action.
Technical summary
The vulnerability stems from missing authorization controls in the EcoStruxure™ IT Gateway web API when exposed to network access. Affected versions (1.21.0.6, 1.22.0.3, 1.22.1.5, 1.23.0.4) do not properly enforce authentication for certain operations, enabling unauthorized actors to access the Gateway and potentially impact connected infrastructure devices. The attack vector is network-based with low complexity, requiring no privileges or user interaction. The confidentiality, integrity, and availability impacts are all rated high. Version 1.23.1.10 remediates this authorization gap.
Defensive priority
critical
Recommended defensive actions
- Upgrade to EcoStruxure™ IT Gateway version 1.23.1.10 immediately if running affected versions 1.21.0.6 through 1.23.0.4
- Enable automatic updates to receive future security patches promptly
- If immediate patching is not possible, place the Gateway on access-controlled networks only and implement local firewall rules to deny remote access to the web API
- Consider removing affected Gateway software and performing a clean installation of version 1.23.1.10 as an alternative remediation path
- Review network segmentation for EcoStruxure™ IT Gateway deployments to limit exposure of connected devices
Evidence notes
CISA ICS advisory ICSA-24-326-05 confirms the vulnerability affects four specific product versions and provides remediation guidance. Schneider Electric's security notice SEVD-2024-317-04 documents the vendor fix in version 1.23.1.10.
Official resources
-
CVE-2024-10575 CVE record
CVE.org
-
CVE-2024-10575 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-12