Skip to main content

Critical vulnerability found in Schneider Electric's Unity Pro software

A critical vulnerability has been found in Schneider Electric's Unity Pro software that gives hackers the ability to remotely execute code that could disrupt any business or utility which uses the company's controllers.

The vulnerability was discovered by the industrial cybersecurity firm Indegy that has since released a report (opens in new tab)detailing the flaw and how it could affect the industrial controllers used by businesses and utilities to control their operations. The company's CTO Mille Gandelsman has strongly encouraged users running Unit Pro to update to the latest version of the software in order to protect themselves from a potential attack.

Gandelsman highlighted the seriousness of the flaw, saying: “If the IP address of the Windows PC running the Unity Pro software is accessible to the internet, then anyone can exploit the software and run code on hardware.  This is the crown jewel of access. An attacker can do anything they want with the controllers themselves.”

A large number of businesses and utilities could potentially be disrupted by this vulnerability, as Schneider Electric's Unity Pro software is used to manage and program millions of industrial controllers worldwide. The flaw itself though was found in a component of the software called Unity Pro PLC Simulator which is utilised to test industrial controllers.

Gandelsman explained what could happen if an attacker was able to access this component, saying: “This is what an attacker would want to have access to in order to impact the actual production process within an ICS physical environment. That includes the valves, turbines, centrifuges and smart meters. These are accessible from the engineering stations natively. With this type of access, an attacker can use it to change the recipe to drugs being manufactured or turn off the power grid of a city."

Schneider Electric has informed its customers regarding the flaw through a Security Notification (opens in new tab) in which it said: “The vulnerability is arbitrary code execution made possible by remotely downloading a patched project file to the Unity Simulator.”

Every version of Unity Pro, including version 11.1, are susceptible to the flaw so it is essential that anyone using Schneider Electric's software upgrade as soon as possible.

Image Credit: Ricochet64 / Shutterstock

After getting his start at ITProPortal and then working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches to how to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.