CVE-2024-8518 Schneider Electric CVE debrief

Who should care

Engineering workstations running Zelio Soft 2 for PLC programming and maintenance; OT security teams managing Schneider Electric environments; asset owners relying on Zelio Logic smart relays for industrial control applications.

Technical summary

The vulnerability stems from insufficient validation of project file contents in Zelio Soft 2 versions prior to 5.4.2.2. A malformed project file can trigger an application crash when loaded. The attack vector is local, requiring an attacker to deliver a crafted file and convince a user to open it. No privileges are required, but user interaction is necessary. The impact is limited to denial of service (application availability) with no confidentiality or integrity compromise.

Defensive priority

low

Recommended defensive actions

• Update Zelio Soft 2 to version 5.4.2.2 or later through the Schneider Electric Software Update (SESU) application or via the vendor download portal.
• Restrict user permissions to prevent unauthorized modification or replacement of project files.
• Implement application whitelisting and integrity monitoring for Zelio Soft 2 installation and project directories.
• Train users to verify project file sources and avoid opening files from untrusted origins.
• Monitor for unexpected application crashes as potential indicators of exploitation attempts.

Evidence notes

CISA CSAF advisory ICSA-24-284-14 published 2024-10-10 confirms the vulnerability and remediation path. CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L sourced from official advisory.

Official resources