PatchSiren cyber security CVE debrief
CVE-2024-8306 Schneider Electric CVE debrief
A high-severity privilege escalation vulnerability in Schneider Electric Vijeo Designer allows authenticated non-admin users to tamper with binaries and gain unauthorized elevated access, risking full compromise of confidentiality, integrity, and availability on affected engineering workstations. The vulnerability stems from improper privilege management (CWE-269) where file system permissions permit low-privileged users to modify critical runtime binaries. CISA published advisory ICSA-25-014-02 on September 10, 2024, with an update on July 8, 2025 confirming remediation availability for EcoStruxure Machine Expert deployments.
- Vendor
- Schneider Electric
- Product
- Vijeo Designer
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-10
- Original CVE updated
- 2025-07-08
- Advisory published
- 2024-09-10
- Advisory updated
- 2025-07-08
Who should care
Organizations operating Schneider Electric Vijeo Designer or EcoStruxure Machine Expert in industrial automation environments, particularly engineering workstations used for HMI development and deployment in manufacturing, energy, and critical infrastructure sectors
Technical summary
The vulnerability exists in the file system permission model of Vijeo Designer installations. Non-administrative authenticated users can modify binaries in the Vijeo-Runtime directory due to overly permissive access controls ('Everyone' write permissions). This allows privilege escalation through binary replacement or modification, granting attackers elevated privileges on the engineering workstation. The attack requires local access and valid user credentials but no user interaction, with high impact across confidentiality, integrity, and availability dimensions.
Defensive priority
high
Recommended defensive actions
- Apply vendor patches: Update Vijeo Designer to V6.3 SP1 via Schneider Electric Software Update (SESU), or upgrade EcoStruxure Machine Expert to v2.3 which includes Vijeo Designer 6.3.2.16 with the fix
- If patching is not immediately possible, restrict authenticated user access to Vijeo Designer workstations and enforce User Account Control practices
- Remove write permissions for 'Everyone' on the directory 'C:/Program Files (x86)/Schneider Electric/Vijeo Designer 6.3/Vijeo-Runtime' to prevent binary tampering
- Follow Schneider Electric's Recommended Cybersecurity Best Practices for workstation, network, and site hardening guidance
- Monitor for unauthorized modifications to Vijeo Designer installation directories and unexpected privilege escalation attempts on engineering workstations
Evidence notes
CISA CSAF advisory ICSA-25-014-02 (published 2024-09-10, modified 2025-07-08) documents this vulnerability with CVSS 3.1 score 7.8. The advisory confirms affected products: Vijeo Designer versions prior to V6.3 SP1, and Vijeo Designer as optional component of EcoStruxure Machine Expert versions prior to v2.3. Schneider Electric security notice SEVD-2024-254-01 provides vendor remediation guidance.
Official resources
-
CVE-2024-8306 CVE record
CVE.org
-
CVE-2024-8306 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-10