Improper Enforcement of Message Integrity During Transmission in a Communication Channel in Schneider Electric Pro-face GP-Pro EX and Remote HMI

Published: 2025-02-06

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2024-12399
CWE-ID	CWE-924
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Pro-face GP-Pro EX Universal components / Libraries / Software for developers Pro-face Remote HMI Universal components / Libraries / Software for developers
Vendor	Schneider Electric

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Improper Enforcement of Message Integrity During Transmission in a Communication Channel

EUVDB-ID: #VU103684

Risk: Medium

CVSSv4.0: 2.4 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-12399

CWE-ID: CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper enforcement of message integrity during transmission in a communication channel. A remote attacker can perform a man-in-the-middle (MitM) attack and gain access to the target application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pro-face GP-Pro EX: All versions

Pro-face Remote HMI: All versions

CPE2.3

External links

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-02.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-25-035-07

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.