CVE-2021-22733
📋 TL;DR
This vulnerability allows attackers to gain unauthorized shell access on Schneider Electric homeLYnk (Wiser For KNX) and spaceLYnk systems by loading malicious code into the system folder. It affects systems running version 2.60 and earlier. Attackers could potentially take full control of affected devices.
💻 Affected Systems
- homeLYnk (Wiser For KNX)
- spaceLYnk
📦 What is this software?
Homelynk Firmware by Schneider Electric
Spacelynk Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal credentials, pivot to other network devices, or deploy ransomware.
Likely Case
Unauthorized shell access leading to configuration changes, data exfiltration, or installation of backdoors for persistent access.
If Mitigated
Limited impact if systems are isolated from untrusted networks and have strict access controls preventing unauthorized file uploads.
🎯 Exploit Status
The vulnerability description suggests exploitation is straightforward once attackers can upload files to the system folder. No authentication bypass appears necessary.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after V2.60
Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-130-04
Restart Required: Yes
Instructions:
1. Download the latest firmware from Schneider Electric's website. 2. Backup current configuration. 3. Apply firmware update through the device's web interface. 4. Restart the device. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices from untrusted networks and limit access to authorized management systems only.
File Upload Restrictions
allImplement strict controls on file uploads to the system folder if the device's configuration allows this.
🧯 If You Can't Patch
- Segment affected devices on isolated VLANs with strict firewall rules preventing external access
- Implement network monitoring for unusual file uploads or shell access attempts to these devices
🔍 How to Verify
Check if Vulnerable:
Check the device firmware version through the web interface. If version is 2.60 or earlier, the device is vulnerable.Check Version:
Check via web interface at http://[device-ip]/ or through device management softwareVerify Fix Applied:
After updating, verify the firmware version shows a version higher than 2.60 in the device's web interface.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file uploads to system folder
- Unexpected shell access or command execution
- Failed authentication attempts followed by successful access
Network Indicators:
- Unusual outbound connections from building automation devices
- File transfer protocols (FTP/SCP) to unexpected destinations
- SSH connections from non-management systems
SIEM Query:
source="homeLYnk" OR source="spaceLYnk" AND (event="file_upload" OR event="shell_access" OR event="command_execution")