Schneider Electric Security Notification Easergy Studio 8 October 2024 Overview Schneider Electric is aware of a vulnerability in its Easergy Studio product. The Easergy Studio product is a software solution for configuring, monitoring, and managing control devices. Failure to apply the remediation provided below may risk unauthorized access to the installation directory for Easergy Studio which could allow an attacker with access to the file system to elevate privileges. Affected Products and Versions Vulnerability Details CVE ID: CVE-2024-9002 CVSS v3.1 Base Score: 7.8 CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity, and availability of the workstation when non-admin authenticated user tries to perform privilege escalation by tampering with the binaries. Note regarding vulnerability details: The severity of vulnerabilities was calculated using the CVSS Base metrics in version 3.1 (CVSS v3.1) without incorporating the Temporal and Environmental metrics. Schneider Electric recommends that customers score the CVSS Environmental metrics, which are specific to end-user organizations, and consider factors such as the presence of mitigations in that environment. Environmental metrics may refine the relative severity posed by the vulnerabilities described in this document within a customer's environment.