CVE-2021-22807 – This vulnerability allows arbitrary code execut... (How to Fix)

Q: What is the severity of CVE-2021-22807?

CVE-2021-22807 has a CVSS score of 7.8 (HIGH). This vulnerability allows arbitrary code execution when a malicious *.gd1 configuration file is loaded into the Eurotherm GUIcon tool. Attackers could gain full control of affected systems by tricking users into opening specially crafted files. Affects Eurotherm by Schneider Electric GUIcon Version 2.0 (Build 683.003) and prior versions.

📋 TL;DR

This vulnerability allows arbitrary code execution when a malicious *.gd1 configuration file is loaded into the Eurotherm GUIcon tool. Attackers could gain full control of affected systems by tricking users into opening specially crafted files. Affects Eurotherm by Schneider Electric GUIcon Version 2.0 (Build 683.003) and prior versions.

💻 Affected Systems

Products:

Eurotherm by Schneider Electric GUIcon

Versions: Version 2.0 (Build 683.003) and prior

Operating Systems: Windows (typically Windows 7/10/11 in industrial environments)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when loading *.gd1 configuration files, which is a normal operation for this tool.

📦 What is this software?

Guicon by Schneider Electric

View all CVEs affecting Guicon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining administrative privileges, installing persistent malware, and pivoting to other systems.

🟠

Likely Case

Local privilege escalation leading to industrial control system disruption, data theft, or ransomware deployment.

🟢

If Mitigated

Limited impact if systems are air-gapped, users are trained not to open untrusted files, and proper access controls are implemented.

🌐 Internet-Facing: LOW - GUIcon is typically used in industrial control environments not directly internet-facing.

🏢 Internal Only: HIGH - Within industrial networks, this could be exploited via phishing, USB drives, or compromised engineering workstations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction to open malicious file. No public exploit code available as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.0 (Build 683.004) or later

Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-313-07

Restart Required: Yes

Instructions:

1. Download updated version from Schneider Electric portal. 2. Backup existing configurations. 3. Uninstall old version. 4. Install new version. 5. Restart system. 6. Restore configurations.

🔧 Temporary Workarounds

Restrict *.gd1 file handling

windows

Configure Windows to open *.gd1 files with a text editor instead of GUIcon by default

Control Panel > Default Programs > Associate a file type or protocol with a program > Select .gd1 > Change program > Choose Notepad or other text editor

Application whitelisting

windows

Use AppLocker or similar to restrict GUIcon execution to trusted directories only

🧯 If You Can't Patch

Implement strict user training: Never open *.gd1 files from untrusted sources
Network segmentation: Isolate systems running GUIcon from general corporate network

🔍 How to Verify

Check if Vulnerable:

Check GUIcon version in Help > About. If version is 2.0 (Build 683.003) or earlier, system is vulnerable.

Check Version:

Check GUIcon application properties or Help > About menu

Verify Fix Applied:

Verify GUIcon version shows 2.0 (Build 683.004) or later in Help > About.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing GUIcon crashes
Application logs showing unexpected *.gd1 file loads

Network Indicators:

Unusual outbound connections from engineering workstations
File transfers of *.gd1 files to unexpected systems

SIEM Query:

source="Windows Security" EventCode=4688 ProcessName="*GUIcon*" OR source="Application" Message="*gd1*"

📊 Metadata

CVE ID: CVE-2021-22807

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: January 28, 2022

Last Updated: November 21, 2024

🔗 References

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-313-07 Vendor Advisory
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-313-07 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22807, you might also want to check these: