CVE-2024-9002 Schneider Electric CVE debrief

Who should care

Organizations using Schneider Electric Easergy Studio for protection relay configuration and management, particularly in electric utility and industrial environments where workstation integrity is critical for operational technology (OT) security.

Technical summary

CVE-2024-9002 is a CWE-269 Improper Privilege Management vulnerability in Schneider Electric Easergy Studio versions 9.3.1 and prior. The vulnerability allows authenticated non-administrative users to escalate privileges by tampering with application binaries, resulting in unauthorized access and potential loss of confidentiality, integrity, and availability on the affected workstation. The attack requires local access with low privileges but no user interaction. Schneider Electric addressed this vulnerability in version 9.3.4, released in December 2022.

Defensive priority

high

Recommended defensive actions

• Upgrade Easergy Studio to version 9.3.4 or later, which includes a fix released in December 2022
• Apply the principle of least privilege to Easergy Studio user accounts
• Restrict physical and logical access to Easergy Studio workstations to authorized personnel only
• Monitor for unauthorized binary modifications or privilege escalation attempts on Easergy Studio installations
• Follow CISA ICS recommended practices for defense-in-depth strategies in industrial control environments

Evidence notes

CISA ICS advisory ICSA-25-023-04 documents this vulnerability in Easergy Studio versions 9.3.1 and prior. The advisory confirms Schneider Electric released version 9.3.4 with a fix in December 2022. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H confirms local attack vector with high impact across confidentiality, integrity, and availability.

Official resources