CVE-2021-22704
📋 TL;DR
This vulnerability allows attackers to exploit a path traversal flaw in Schneider Electric's Harmony HMI products when accessed via FTP. Attackers could cause denial of service or gain unauthorized access to system information. Affected users include those running Vijeo Designer, Vijeo Designer Basic, or EcoStruxure Machine Expert in vulnerable versions.
💻 Affected Systems
- Harmony/HMI Products Configured by Vijeo Designer
- Vijeo Designer Basic
- EcoStruxure Machine Expert
📦 What is this software?
Ecostruxure Machine Expert by Schneider Electric
Ecostruxure Machine Expert by Schneider Electric
Vijeo Designer by Schneider Electric
Vijeo Designer by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing unauthorized access to sensitive system files and potential disruption of industrial operations.
Likely Case
Denial of service affecting HMI functionality and potential information disclosure of system configuration files.
If Mitigated
Limited impact with proper network segmentation and access controls preventing FTP access from untrusted networks.
🎯 Exploit Status
Exploitation requires FTP access to the vulnerable system. Path traversal attacks are well-understood and relatively simple to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Vijeo Designer V6.2 SP11, Vijeo Designer Basic V1.2, EcoStruxure Machine Expert V2.0
Vendor Advisory: http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-222-01
Restart Required: Yes
Instructions:
1. Download the updated software version from Schneider Electric's website. 2. Install the update following vendor documentation. 3. Restart the HMI system. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable FTP Service
windowsDisable FTP access to the HMI system if not required for operations.
Disable via HMI configuration interface or Windows services
Network Segmentation
allRestrict FTP access to trusted networks only using firewall rules.
Configure firewall to block FTP (port 21) from untrusted networks
🧯 If You Can't Patch
- Implement strict network segmentation to isolate HMI systems from untrusted networks
- Disable FTP service entirely if not required for operations
🔍 How to Verify
Check if Vulnerable:
Check software version in HMI configuration or Windows Programs and Features. If version is below patched versions, system is vulnerable.Check Version:
Check via HMI system information or Windows Control Panel > Programs and FeaturesVerify Fix Applied:
Verify installed version matches or exceeds patched versions: Vijeo Designer ≥ V6.2 SP11, Vijeo Designer Basic ≥ V1.2, EcoStruxure Machine Expert ≥ V2.0📡 Detection & Monitoring
Log Indicators:
- Unusual FTP access patterns
- Failed path traversal attempts in FTP logs
- Multiple connection attempts to FTP service
Network Indicators:
- FTP traffic to HMI systems from unexpected sources
- Patterns of ../ or ..\ in FTP commands
SIEM Query:
source="ftp_logs" AND ("..\" OR "../" OR "path traversal")