The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security alert regarding vulnerabilities found in Schneider Electric’s Wiser AvatarOn 6K Freelocate and Wiser Cuadro H 5P Socket products. These devices have been assigned a CVSS v4 score of 9.3, indicating a serious risk, as the vulnerabilities are exploitable remotely with low attack complexity.
The vulnerabilities, specifically classified as a buffer overflow issue, could allow attackers to inject malicious code or bypass authentication mechanisms. This troubling news highlights the ongoing concerns regarding the cybersecurity of critical infrastructure, particularly in the commercial facilities and energy sectors where these devices operate.
According to CISA, users should take immediate action to mitigate risks, as the affected products have reached their end of life and are no longer supported. Recommendations include disabling firmware updates in the Zigbee Trust Center or removing affected devices from service entirely. CISA also emphasizes the importance of securing network access for all control systems and suggests the use of Virtual Private Networks (VPNs) for secure remote access.
Schneider Electric reported this vulnerability to CISA and encourages affected users to stay informed through their security notification service.