Schneider Electric’s EcoStruxure IT: A Comedy of Errors with Server-Side Request Forgery Vulnerability!
Schneider Electric EcoStruxure IT Data Center Expert has a vulnerability as exciting as an internet-less day. The unauthenticated server-side request forgery lets hackers send HTTP requests to arbitrary locations, even chatting up the SMTP service. Upgrade to version 9.0 to keep your data center from turning into an involuntary pen pal.
Hot Take:
In an electrifying twist, Schneider Electric’s EcoStruxure IT Data Center Expert has unexpectedly become a tad too friendly with its HTTP requests, letting them jump to arbitrary locations. This vulnerability is like giving your mailman the keys to your house just because he asked nicely. Time to change those locks and update to version 9.0, folks!
Key Points:
- Schneider Electric’s EcoStruxure IT Data Center Expert version 8.3 and prior is vulnerable to a Server-Side Request Forgery (SSRF) attack.
- The vulnerability allows unauthenticated users to forward HTTP requests to arbitrary locations using the appliance.
- Version 9.0 of the software contains fixes for this vulnerability.
- The flaw was discovered by KoreLogic, Inc. in November 2024.
- A detailed timeline of the vulnerability’s disclosure and patching process is available.
Already a member? Log in here