A stack-based buffer overflow was found in InduSoft Web Studio, an automation tool that is used to develop human-machine interfaces, supervisory control and data acquisition systems and embedded instrumentation solutions that connect operational technology with the Internet or corporate intranets, and InTouch Machine Edition, a scalable HMI client.
In its advisory, Schneider Electric said: "InduSoft Web Studio and InTouch Machine Edition provide the capability for an HMI client to read, write tags and monitor alarms and events.
"A remote malicious entity could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event-related actions such as read and write, with potential for code to be executed.
InduSoft Web Studio is deployed across several heavy industries, including manufacturing, oil and gas and automotive.
In a statement, Tenable said given the increase in distributed and remote monitoring in industrial environments, operational technology and IT were converging.
It said as OT became increasingly connected and lacked boundaries, these safety-critical systems were increasingly vulnerable to cyber attacks.
“Digital transformation has made its way to critical infrastructure, connecting once-isolated systems to the outside world,” said Dave Cole, chief product officer, Tenable.
“This Schneider Electric vulnerability is particularly concerning because of the potential access it grants cyber criminals looking to do serious damage to systems that quite literally power our communities."