CVE-2022-22722
📋 TL;DR
CVE-2022-22722 is a hard-coded SSH cryptographic key vulnerability in Schneider Electric Easergy P5 protection relays. Attackers who obtain the key and gain access to the local operational network could observe and manipulate product configuration traffic, potentially leading to information disclosure and operational disruption. All organizations using Easergy P5 relays with firmware versions prior to V01.401.101 are affected.
💻 Affected Systems
- Schneider Electric Easergy P5
📦 What is this software?
Easergy P5 Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of device configuration, manipulation of protection settings leading to equipment damage or power outages, and persistent access to operational networks.
Likely Case
Unauthorized access to device configuration, monitoring of operational traffic, and potential manipulation of device settings affecting grid reliability.
If Mitigated
Limited to network reconnaissance if proper network segmentation and access controls prevent lateral movement to affected devices.
🎯 Exploit Status
Requires obtaining the hard-coded SSH key and gaining access to the local operational network; no public exploit code available but vulnerability is well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V01.401.101
Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-03
Restart Required: Yes
Instructions:
1. Download firmware V01.401.101 from Schneider Electric portal. 2. Backup current configuration. 3. Upload new firmware via device management interface. 4. Reboot device. 5. Verify firmware version and restore configuration if needed.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Easergy P5 devices in dedicated VLANs with strict firewall rules preventing unauthorized access.
Access Control Lists
allImplement network ACLs to restrict SSH access to authorized management stations only.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected devices from general network traffic
- Deploy network monitoring and intrusion detection specifically for SSH traffic to/from Easergy P5 devices
🔍 How to Verify
Check if Vulnerable:
Check firmware version via device web interface or SSH connection; versions below V01.401.101 are vulnerable.Check Version:
ssh admin@device_ip 'show version' or check via web interface at http://device_ipVerify Fix Applied:
Verify firmware version shows V01.401.101 or higher in device management interface.📡 Detection & Monitoring
Log Indicators:
- Unexpected SSH connections to Easergy P5 devices
- Failed SSH authentication attempts from unknown sources
- Configuration changes outside maintenance windows
Network Indicators:
- SSH traffic to Easergy P5 devices from unauthorized IP addresses
- Unusual port scanning within operational network segments
SIEM Query:
source="network_firewall" dest_ip="easergy_p5_subnet" dest_port=22 AND NOT src_ip IN (authorized_management_ips)