Schneider Electric Pro-face GP-Pro EX and Remote HMI Improper Message Integrity Enforcement Vulnerability

A vulnerability exists in Schneider Electric's Pro-face GP-Pro EX and Remote HMI products, all versions, due to improper enforcement of message integrity during transmission. This vulnerability could lead to a man-in-the-middle attack, allowing an attacker to intercept communication and cause a partial loss of confidentiality, integrity, and availability of the Human Machine Interface (HMI).

Impact

Exploitation of this vulnerability could result in information disclosure, integrity issues, and operational failures on the affected HMI.

Remediation

Schneider Electric is developing a remediation plan for future versions of Pro-face GP-Pro EX and Pro-face Remote HMI that will address this vulnerability. Until this update is available, customers using Pro-face Remote HMI should use the Pro-face Connect solution or any other VPN to secure remote access by encrypting communication between Pro-face Remote HMI and Pro-face GP-Pro EX. Customers not using Pro-face Remote HMI should disable the Pro-face Remote HMI feature, which is deactivated by default.