Schneider Electric EcoStruxure Power Automation System User Interface Authentication Bypass Vulnerability

A vulnerability allowing authentication bypass has been identified in Schneider Electric's EcoStruxure Power Automation System User Interface (EPAS-UI) versions 2.1 through 2.9. This improper authentication vulnerability (CWE-287) could be exploited by an unauthorized user with physical access to the EPAS-UI computer. The user could reboot the workstation and disrupt the normal boot process, potentially gaining partial to full control of the application.

Impact

Exploitation of this vulnerability could lead to an authentication bypass, allowing an unauthorized user to gain partial to full control of the EPAS-UI application.

Remediation

Users can upgrade to version 2.10 of EcoStruxure Power Automation System User Interface (EPAS-UI), which includes a fix for this vulnerability. This version is available by contacting Schneider Electric's Customer Care Center. For those who choose not to apply the update, it is recommended to rename the 'MCIS.chm' file to 'MCIS.old' and restart the machine.