CVE-2020-7474
📋 TL;DR
CVE-2020-7474 is a path traversal vulnerability in ProSoft Configurator software that allows attackers to execute arbitrary code by tricking users into opening malicious project files. When users double-click a specially crafted project file, the software loads untrusted DLLs from uncontrolled search paths, enabling remote code execution. This affects users of ProSoft Configurator version 1.002 and earlier for the PMEPXM0100 (H) module.
💻 Affected Systems
- ProSoft Configurator
📦 What is this software?
Pmepxm0100 Prosoft Configurator by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive industrial control system configurations and potential manipulation of industrial processes.
If Mitigated
Limited impact with proper user training and file validation controls preventing malicious file execution.
🎯 Exploit Status
Exploitation requires social engineering to get users to open malicious project files. No authentication bypass needed but requires user interaction.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.003 or later
Vendor Advisory: https://www.se.com/ww/en/download/document/SEVD-2020-042-01/
Restart Required: Yes
Instructions:
1. Download ProSoft Configurator version 1.003 or later from Schneider Electric's website. 2. Uninstall previous versions. 3. Install the updated version. 4. Restart the system.
🔧 Temporary Workarounds
Restrict Project File Execution
windowsConfigure Windows to open project files with a text editor instead of ProSoft Configurator by default
Right-click on .project files -> Open With -> Choose Another App -> Select Notepad or other text editor -> Check 'Always use this app'
User Training and File Validation
allTrain users to only open project files from trusted sources and implement file validation procedures
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized DLLs
- Use network segmentation to isolate ProSoft Configurator systems from critical infrastructure
🔍 How to Verify
Check if Vulnerable:
Check ProSoft Configurator version in Help -> About. If version is 1.002 or earlier, the system is vulnerable.Check Version:
Open ProSoft Configurator -> Click Help -> Click AboutVerify Fix Applied:
Verify installed version is 1.003 or later in Help -> About menu. Test that project files from untrusted sources cannot execute arbitrary code.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual paths
- Application logs showing project file loading errors
Network Indicators:
- Unusual outbound connections from ProSoft Configurator process
- File downloads of project files from untrusted sources
SIEM Query:
Process Creation where Image contains 'ProSoft' AND CommandLine contains '.project' AND ParentImage contains 'explorer.exe'