CVE-2023-27981
📋 TL;DR
This vulnerability allows remote code execution through path traversal in Schneider Electric's IGSS software. An attacker can craft a malicious report file that, when opened by a victim, executes arbitrary code on the system. Affected users include anyone running vulnerable versions of IGSS Data Server, IGSS Dashboard, or Custom Reports components.
💻 Affected Systems
- IGSS Data Server (IGSSdataServer.exe)
- IGSS Dashboard (DashBoard.exe)
- Custom Reports (RMS16.dll)
📦 What is this software?
Custom Reports by Schneider Electric
Igss Dashboard by Schneider Electric
Igss Data Server by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive industrial control system data and potential disruption of operations.
If Mitigated
Limited impact with proper network segmentation and user privilege restrictions, potentially only affecting the specific IGSS application context.
🎯 Exploit Status
Exploitation requires user interaction (opening a malicious report file), but the path traversal mechanism is straightforward once the malicious file is executed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after V16.0.0.23040
Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-073-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2023-073-04.pdf
Restart Required: Yes
Instructions:
1. Download the latest version from Schneider Electric's official website
2. Backup existing configurations and data
3. Uninstall the vulnerable version
4. Install the updated version
5. Restart the system
6. Verify the installation and restore configurations
🔧 Temporary Workarounds
Restrict Report File Execution
windowsBlock execution of custom report files from untrusted sources
Network Segmentation
allIsolate IGSS systems from general network traffic and internet access
🧯 If You Can't Patch
- Implement strict file validation for all report files before opening
- Apply principle of least privilege to IGSS application users and service accounts
🔍 How to Verify
Check if Vulnerable:
Check the version of IGSSDataServer.exe, DashBoard.exe, or RMS16.dll. If version is 16.0.0.23040 or earlier, the system is vulnerable.Check Version:
Right-click on IGSSDataServer.exe → Properties → Details tab → File versionVerify Fix Applied:
Verify that all IGSS components are updated to versions after 16.0.0.23040 and that the patch installation was successful.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in IGSS logs
- Execution of unexpected processes from IGSS context
- Failed attempts to access restricted directories
Network Indicators:
- Unusual network connections originating from IGSS systems
- Unexpected file transfers involving report files
SIEM Query:
Process creation events where parent process contains 'IGSS' or 'Dashboard' and child process is unexpected system command