CVE-2021-22765
📋 TL;DR
This vulnerability allows attackers to send specially crafted HTTP packets to PowerLogic EGX100 and EGX300 devices, potentially causing denial of service or remote code execution. It affects EGX100 versions 3.0.0 and newer, and all versions of EGX300. The high CVSS score of 9.8 indicates critical severity.
💻 Affected Systems
- PowerLogic EGX100
- PowerLogic EGX300
📦 What is this software?
Powerlogic Egx100 Firmware by Schneider Electric
Powerlogic Egx300 Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full system compromise, allowing attackers to take complete control of the device, manipulate power monitoring data, or pivot to other industrial systems.
Likely Case
Denial of service causing device unavailability, disrupting power monitoring and management capabilities in industrial environments.
If Mitigated
Limited impact if devices are properly segmented behind firewalls with strict network access controls and input validation at perimeter devices.
🎯 Exploit Status
The vulnerability requires no authentication and involves sending crafted HTTP packets, making exploitation relatively straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Schneider Electric advisory for specific patched versions
Vendor Advisory: http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-03
Restart Required: Yes
Instructions:
1. Download firmware update from Schneider Electric portal. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Restart device. 5. Verify update was successful.
🔧 Temporary Workarounds
Network Segmentation
allIsolate EGX devices in separate VLANs with strict firewall rules limiting HTTP access to authorized management systems only.
Access Control Lists
allImplement network ACLs to restrict HTTP traffic to EGX devices from specific trusted IP addresses only.
🧯 If You Can't Patch
- Implement strict network segmentation with firewall rules blocking all unnecessary HTTP traffic to affected devices
- Deploy intrusion detection/prevention systems to monitor for exploitation attempts and block malicious HTTP packets
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or CLI. For EGX100, versions 3.0.0+ are vulnerable. All EGX300 versions are vulnerable.Check Version:
Check via web interface at http://[device-ip]/ or consult device documentation for CLI version check commands.Verify Fix Applied:
Verify firmware version matches patched version specified in Schneider Electric advisory and test HTTP functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP request patterns
- Multiple malformed HTTP requests
- Device restart logs following HTTP traffic
Network Indicators:
- HTTP packets with unusual headers or payloads to EGX device ports
- Traffic from unexpected sources to EGX HTTP ports
SIEM Query:
source_ip=* AND dest_ip=[EGX_IP] AND dest_port=80 AND (http_request contains unusual_pattern OR http_user_agent contains exploit_tool)