CVE-2024-37039 Schneider Electric CVE debrief

Who should care

OT/ICS operators, engineers, and asset owners running Schneider Electric Sage 1410, 1430, 1450, 2400, 3030 Magnum, or 4400 devices, especially where the device may be reachable over HTTP.

Technical summary

The advisory describes a CWE-252 unchecked return value condition that can be reached with a specially crafted HTTP request. CISA lists six affected Sage product lines, all at firmware versions C3414-500-S02K5_P8 and prior, and the vendor fix is firmware C3414-500-S02K5_P9. The provided CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) aligns with a network-reachable availability impact without confidentiality or integrity impact.

Defensive priority

Patch soon, with higher urgency if the Sage device is network-reachable or exposed to untrusted segments. Availability impact is the main concern, so prioritize remediation where device downtime would affect operations.

Recommended defensive actions

• Upgrade affected Sage devices to firmware C3414-500-S02K5_P9 or later, using the vendor-provided remediation.
• Inventory Sage 1410/1430/1450/2400/3030 Magnum/4400 assets and confirm whether any are running C3414-500-S02K5_P8 or earlier.
• Restrict HTTP access to these devices to trusted management networks only, consistent with ICS segmentation practices.
• Review the Schneider Electric security notice and the CISA advisory for product-specific guidance and validation steps.
• Monitor for unexpected service interruptions on the affected devices until remediation is complete.

Evidence notes

Source evidence identifies CWE-252 and states that a specially crafted HTTP request could cause denial of service. The affected products are Schneider Electric Sage 1410, 1430, 1450, 2400, 3030 Magnum, and 4400 versions C3414-500-S02K5_P8 and prior. The remediation listed by the vendor is firmware C3414-500-S02K5_P9, and the advisory revision history shows a later update adding a direct remediation link.

Official resources