SEVD-2022-039-04
Schneider Electric is aware of multiple vulnerabilities in its spaceLYnk, Wiser For KNX, and fellerLYnk products. spaceLYnk is a centralized solution that reduces energy and maintenance costs, increases comfort and flexibility, and simplifies building management. Wiser for KNX ,formerly known as homeLYnk, products are personalized energy efficiency solutions, offering a complete system based on open protocols: KNX, Modbus, BACnet and IP. fellerLYnk offers more flexibility in visualization and trend recording as well as functions such as presence simulation or time switches that the end customer can easily manage. Failure to apply the remediations provided below may risk a Cross-Site Request Forgery (CSRF), Missing Authentication, rate limit, or Stored Cross-Site Scripting (XSS) attack which could result in exfiltrated data and unauthorized access. March 2022 Update: The CVSS score has been updated for CVE-2022-22811 and CVE-2022-22812
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Schneider Electric Wiser for KNX (formerly homeLYnk) 2.7.0 | ||
| Schneider Electric Wiser for KNX (formerly homeLYnk) V2.6.2 and prior | ||
| Schneider Electric fellerLYnk 2.7.0 | ||
| Schneider Electric spaceLYnk 2.7.0 | ||
| Schneider Electric fellerLYnk V2.6.2 and prior | ||
| Schneider Electric spaceLYnk V2.6.2 and prior |
Timeline
- Feb 8, 2022 CVE Published
- Mar 8, 2022 CVE Updated
References
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04 advisory
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2022-039-04.json advisory
- https://www.se.com/us/en/download/document/7EN52-0390/ advisory
- https://www.se.com/ww/en/product/LSS100200/spacelynk-logic-controller/ fix
- https://www.se.com/ww/en/product/LSS100100/wiser-for-knx-logic-controller/ fix
- https://online-katalog.feller.ch/download/index.php?menueidLev1=279&menueidLev2=662&menueidLev3=664 fix