PatchSiren cyber security CVE debrief
CVE-2024-8422 Schneider Electric CVE debrief
A Use After Free vulnerability in Schneider Electric Zelio Soft 2 allows arbitrary code execution, denial-of-service, and loss of confidentiality and integrity when a user opens a malicious project file. The vulnerability was disclosed on October 10, 2024, with a CVSS 3.1 score of 7.8 (HIGH). Affected versions are prior to 5.4.2.2. Schneider Electric has released version 5.4.2.2 to address this issue, available through the Schneider Electric Software Update (SESU) application or direct download.
- Vendor
- Schneider Electric
- Product
- Zelio Soft 2
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-10
- Original CVE updated
- 2024-10-10
- Advisory published
- 2024-10-10
- Advisory updated
- 2024-10-10
Who should care
Organizations using Schneider Electric Zelio Soft 2 for programming Zelio Logic smart relays in industrial control systems, particularly in manufacturing, building automation, and infrastructure environments. Security teams responsible for OT/ICS asset management, patch management programs covering engineering workstations, and incident response teams handling industrial software supply chain threats.
Technical summary
The vulnerability is a Use After Free memory corruption issue in Zelio Soft 2, Schneider Electric's programming software for Zelio Logic smart relays. The flaw is triggered when a user opens a specially crafted malicious project file (.zml or related format). Successful exploitation can result in arbitrary code execution within the context of the application, denial-of-service conditions, and compromise of confidentiality and integrity of system data. The attack vector is local, requiring user interaction to open the malicious file, with low attack complexity. The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H indicates high impacts across confidentiality, integrity, and availability. No known public exploitation or ransomware campaign use has been reported.
Defensive priority
HIGH
Recommended defensive actions
- Update Zelio Soft 2 to version 5.4.2.2 immediately using the Schneider Electric Software Update (SESU) application or direct download from Schneider Electric's official product page
- Restrict user permissions to prevent unauthorized installation or execution of Zelio Soft 2 project files from untrusted sources
- Implement application whitelisting and endpoint protection to detect and block malicious project file execution
- Train users to recognize and avoid opening project files from unknown or untrusted origins
- Monitor for anomalous process behavior or unexpected network connections from Zelio Soft 2 processes
Evidence notes
CVE published and modified 2024-10-10. CISA ICS advisory ICSA-24-284-14 issued same date. Remediation guidance specifies update to version 5.4.2.2.
Official resources
-
CVE-2024-8422 CVE record
CVE.org
-
CVE-2024-8422 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-10