Schneider Electric EcoStruxure Building Operation Uncontrolled Resource Consumption Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Schneider Electric's EcoStruxure Building Operation Enterprise Server, Enterprise Central, and Workstation, all versions prior to 7.0.1. This vulnerability allows an authenticated user to cause uncontrolled resource consumption by sending a specially crafted request to a specific endpoint within the Building Management System (BMS) network.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, causing operational disruptions within the affected building management system.

Remediation

Users can upgrade to EcoStruxure Building Operation versions 7.0.2.348, 6.0.4.10001 (CP8), or 5.0.3.17009 (CP16). After upgrading, it is recommended to follow the EBO hardening guidelines. For assistance, contact Schneider Electric's Customer Care Center.