PatchSiren cyber security CVE debrief
CVE-2024-11999 Schneider Electric CVE debrief
A high-severity vulnerability (CVSS 8.8) in Schneider Electric Harmony and Pro-face HMI products, published December 10, 2024, allows authenticated attackers to achieve complete device control by installing malicious code. The root cause is CWE-1104: Use of Unmaintained Third-Party Components. The attack requires network access and low-privilege authentication, with no user interaction needed. Affected products include Harmony HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7 series with EcoStruxure Operator Terminal Expert runtime, and Pro-face PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100 series with Pro-face BLUE runtime—all versions. No patch is available; mitigation relies on network segmentation, access restrictions, and secure file handling practices.
- Vendor
- Schneider Electric
- Product
- Harmony with EcoStruxureTM Operator Terminal Expert runtime
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-10
- Original CVE updated
- 2024-12-10
- Advisory published
- 2024-12-10
- Advisory updated
- 2024-12-10
Who should care
Industrial control system operators, OT security teams, manufacturing security engineers, critical infrastructure defenders, and organizations using Schneider Electric Harmony or Pro-face HMI products in production environments
Technical summary
The vulnerability stems from unmaintained third-party components in Schneider Electric's HMI runtime environments. An authenticated attacker with network access can install malicious code, resulting in complete confidentiality, integrity, and availability compromise of the device. The attack vector is network-based with low attack complexity, requiring low privileges but no user interaction. No patch exists; defense relies on architectural controls including network isolation, firewall rules, media restrictions, and code integrity verification.
Defensive priority
high
Recommended defensive actions
- Isolate affected HMI systems from public internet and untrusted networks through network segmentation
- Deploy firewalls to block unauthorized access to HMI devices
- Restrict use of unverifiable portable media with affected systems
- Limit application access to prevent unauthorized firmware transfers to HMI devices
- Implement rootkit scanning and digital signature verification for all software/files before use on HMI systems
- Enforce secure communication protocols for all network file exchanges
- Review and apply Schneider Electric security notice SEVD-2024-345-02 guidance
- Monitor CISA ICS advisories for future patch availability
Evidence notes
CISA ICS advisory ICSA-25-010-02 and Schneider Electric security notice SEVD-2024-345-02 confirm the vulnerability affects all versions of specified HMI product lines. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates network-exploitable, low-complexity attacks requiring authenticated access. No KEV listing or known ransomware campaign use is documented.
Official resources
-
CVE-2024-11999 CVE record
CVE.org
-
CVE-2024-11999 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-12-10