Schneider Electric Software Update Improper Link Resolution Vulnerability Leading to Arbitrary Data Writing and Privilege Escalation

A vulnerability has been identified in Schneider Electric Software Update (SESU) versions prior to 3.0.12. This 'Link Following' vulnerability allows a low-privileged attacker to manipulate the installation folder, potentially leading to unauthorized data being written to protected locations. Such actions could cause privilege escalation, arbitrary file corruption, exposure of application and system information, or a persistent denial-of-service condition.

Impact

Exploitation of this vulnerability could result in unauthorized writing of data to protected locations, leading to privilege escalation, corruption of files, exposure of sensitive application and system information, or a sustained denial-of-service condition.

Remediation

Users can upgrade to SESU version 3.0.12, which includes a fix for this vulnerability. This version is available for download from the Schneider Electric Software Update website. If an earlier version of SESU is installed, the update to version 3.0.12 will be applied automatically as a critical update, depending on the 'automatic' update configuration.