CVE-2023-27980
📋 TL;DR
This vulnerability allows unauthenticated attackers to create malicious report files in IGSS project directories via the Data Server TCP interface. When a victim opens the malicious report, it can lead to remote code execution. Affected products include IGSS Data Server, IGSS Dashboard, and Custom Reports components.
💻 Affected Systems
- IGSS Data Server (IGSSdataServer.exe)
- IGSS Dashboard (DashBoard.exe)
- Custom Reports (RMS16.dll)
📦 What is this software?
Custom Reports by Schneider Electric
Igss Dashboard by Schneider Electric
Igss Data Server by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with system-level privileges, potentially leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Attackers create malicious report files that execute arbitrary code when opened by legitimate users, leading to lateral movement within the network.
If Mitigated
With proper network segmentation and authentication controls, exploitation would be limited to authenticated users only.
🎯 Exploit Status
The vulnerability requires no authentication and involves creating malicious files that execute when opened, making exploitation relatively straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after V16.0.0.23040
Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-073-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-073-04.pdf
Restart Required: Yes
Instructions:
1. Download the latest version from Schneider Electric
2. Stop all IGSS services
3. Install the updated version
4. Restart services
🔧 Temporary Workarounds
Restrict Data Server TCP Interface Access
windowsBlock or restrict access to the Data Server TCP interface using firewall rules
Windows Firewall: New-NetFirewallRule -DisplayName "Block IGSS Data Server" -Direction Inbound -Protocol TCP -LocalPort [PORT_NUMBER] -Action Block
Implement Network Segmentation
allIsolate IGSS systems from untrusted networks and limit access to authorized users only
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the Data Server TCP interface
- Disable the Data Server TCP interface if not required for operations
🔍 How to Verify
Check if Vulnerable:
Check IGSS component versions against affected version range V16.0.0.23040 and priorCheck Version:
For IGSSdataServer.exe: Right-click file → Properties → Details → File versionVerify Fix Applied:
Verify installed version is newer than V16.0.0.23040 and check that authentication is required for Data Server TCP functions📡 Detection & Monitoring
Log Indicators:
- Unauthenticated connections to Data Server TCP port
- Unexpected file creation in IGSS report directories
- Process execution from report files
Network Indicators:
- Unusual traffic to Data Server TCP port from unauthorized sources
- File transfer patterns to report directories
SIEM Query:
source="IGSS" AND (event_type="file_creation" AND file_path="*report*" AND user="*") OR (connection="tcp" AND dest_port="[DATA_SERVER_PORT]" AND auth_status="failed")