Schneider Electric created a patch for an unsafe ActiveX control vulnerability in its SoMachine software, according to a report with ICS-CERT.
Andrea Micalizzi reported this remotely exploitable vulnerability to the Zero Day Initiative (ZDI) who then reported it to ICS‑CERT.
SoMachine HVAC-Application Version 2.0.2 and previous suffer from the issue.
An exploitation of this vulnerability may allow an attacker to remotely execute arbitrary code.
Schneider Electric’s corporate headquarters is in Paris, France, and it maintains offices in more than 100 countries worldwide.
The affected product, SoMachine, is software for developing, configuring, and commissioning a machine in a single software environment, including logic, motion control, HMI, and related network automation functions. SoMachine sees action in the commercial facilities sector. Schneider Electric said this product sees use on a global basis.
An ActiveX control appears intended for restricted use, but it ended up marked as safe-for-scripting.
CVE-2016-4529 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
Schneider Electric released a patch that resolves the vulnerability.
Click here for Schneider Electric’s security notice SEVD-2016-161-01.