OS Command Injection vulnerabilities in Schneider Electric products

byCrow -

 OS Command Injection vulnerabilities in Schneider Electric products
Schneider Electric

Overview of CVE-2025-9997 and CVE-2025-9996 

CVE-2025-9997 and CVE-2025-9996 are vulnerabilities classified under CWE-78, which is "Improper Neutralization of Special Elements used in an OS Command" (commonly known as OS Command Injection). These vulnerabilities have been identified in Schneider Electric's BLMon Console running on Saitel DR RTU and Saitel DP RTU devices. They allow an attacker with SSH access to inject and execute arbitrary shell commands on the underlying operating system.

Technical Details

  • Affected Products:

    • Schneider Electric Saitel DR RTU versions 11.06.29 and prior

    • Schneider Electric Saitel DP RTU versions 11.06.33 and prior

  • Vulnerability Mechanism:
    The BLMon (Baseline Monitor) console, when accessed through an SSH session, improperly neutralizes special elements in OS commands. This leads to a scenario where injected malicious input can alter the intended OS command executed by the console.

  • CVE-2025-9997: 

    • Specifically allows command injection in BLMon executed in the operating system console during an SSH session.

    • CVSS v3.1 base score: 6.6 (Medium severity)

    • CVSS v4 base score: 5.8

    • Impact: Could lead to execution of arbitrary shell commands, compromising system confidentiality, integrity, and availability.

  • CVE-2025-9996: 

    • Allows execution of any shell command when executing a netstat command using BLMon Console in an SSH session.

    • Similar CVSS scores and impact as CVE-2025-9997.

Sample Attack Scenario

  1. Access: An attacker first gains low-privileged SSH access to a Schneider Electric Saitel DR or DP RTU device running the vulnerable BLMon console.
  2. Injection: During the SSH session, the attacker executes a command through the BLMon interface that includes special shell characters or crafted input designed to break out of the intended command context.
  3. Command Execution: Due to improper neutralization of special characters, the injected command is executed by the operating system with the privileges of the BLMon process.
  4. Result: The attacker can run arbitrary shell commands, potentially leading to system compromise, data exfiltration, denial of service, or permanent device manipulation.

Mitigation and Recommendations 

  • Patch Installation: Apply the security updates released by Schneider Electric addressing these vulnerabilities. Versions newer than 11.06.29 for DR RTU and 11.06.33 for DP RTU contain the fix.
  • Access Controls: Limit SSH access to trusted personnel and secure authentication methods to reduce the attack surface.
  • Input Validation: Ensure BLMon console and other SSH accessible interfaces properly sanitize and neutralize special shell characters.
  • Monitoring: Monitor SSH access logs and commands executed for suspicious activity indicative of command injection.

Summary

CVE-2025-9997 and CVE-2025-9996 represent critical security risks in Schneider Electric Saitel RTU products, allowing command injection through the BLMon console in an SSH session. These vulnerabilities highlight the importance of robust input validation and timely patching to protect industrial control systems from remote code execution attacks.


Remember to review cyberhatOnline products.

Tags

Crow

physics, information technologies, author, educator

You might like

View all

Post a Comment

Hello, share your thoughts with us.

Previous Post Next Post

İletişim Formu