Today CISA Published an update for a control system security advisory for products from Schneider Electric. I also take a down-the-rabbit-hole look at the mitigation information provided in this advisory.
Schneider Update
This update provides additional information on the EcoStruxure Power Monitoring Expert advisory that was originally published on February 6th, 2025. The new information includes adding CVSS 4.0 score.
NOTE: I briefly discussed this updated information on March 16th, 2025.
DTRH
Schneider updated their advisory for this vulnerability on March 11th, 2025. In my blog post for that update, I noted that: “The new information includes adding CVSS4.0 scoring and more specific remediation information provided.”
The ‘more specific remediation information’ included in that update was providing the update description (Hotfix_75031_PME2022) so that an owner/operator would be able to find the appropriate hotfix on the Customer Care Center site. That information was not added to today’s CISA update. So, is this a problem? Let’s see.
Using the CISA provided information. Going to the Customer Care Center site I entered “EcoStruxure Power Monitoring Expert (PME) Version 2022” (both with and without the quote marks) into the search bar and then clicking on the “Software – Hotfix & Patch” software filter, I get 127 entries with the most recent being for “Prefab TM3 IO System Driver for PME 2022/2021/2020 (ENG)” dated January 24th, 2023. It does not look like that would be helpful for the vulnerability outlined in the advisory.
Using the Schneider provided information. Going to the Customer Care Center site, I entered “Hotfix_75031_PME2022” and got a “We could not find any results for Hotfix_75031_PME2022” error message. Replacing the “_” with blank spaces I got a YouTube video on “Troubleshooting Device Connection Issues with Power Monitoring Expert”. So next I tried “Hotfix_75031” and got the same error message. Next, I tried “Hotfix 75031” and still no result. Finally, I tried entering “Hotfix 75031 Power Monitoring Expert 2022” and then clicking on the Hotfix & Patch filter under ‘Software’ and I end up with 34 results, the newest being the same driver patch that I found using the CISA information.
So, no, it does not seem that the failure of CISA to provide the hot fix number that is available in the latest Schneider advisory makes it any more difficult to find the Hot Fix. Actually, neither advisory provides sufficient information to find the fix on the Schneider site. I suppose owners could try to talk to an actual person at Schneider, but that kind of obviates the need for the whole web site thing….