Thanks to both the researcher at Tenable and the researcher Vyacheslav Moskvin working with Trend Micro Zero Day Initiative the IGSS team has become aware of 8 security issues concerning communication with the IGSSdataServer.exe (Data Server) module in IGSS V18.104.22.16820 and prior versions.
A security update has been released to fix the issues in IGSS version 15.
Make sure to update the IGSS software either by downloading the latest version by running IGSS Update from the IGSS Master module or install the latest update from our download section.
If you choose not to use the update provided, then please apply the following mitigations to reduce the risk of an exploit:
- Follow the general security recommendations provided in the security notification and verify that devices are isolated on a private network and that firewalls are configured with strict boundaries for devices that require remote access.
More details can be found in the the official security notification that has been released on Schneider Electric Global – Cybersecurity Notifications.