CVE-2022-41671 is a high-severity SQL Injection vulnerability (CWE-89) identified in Schneider Electric's EcoStruxure Operator Terminal Expert and Pro-face BLUE products, specifically versions V3.3 Hotfix 1 or prior. The vulnerability arises from improper neutralization of special elements in SQL commands during project migration processes. An adversary with local user privileges can craft malicious SQL queries that are executed within the application context. This can lead to execution of arbitrary malicious code, compromising the confidentiality, integrity, and availability of the affected system. The vulnerability requires local access and elevated privileges (local user privileges) but does not require user interaction beyond initiating the project migration. The CVSS 3.1 base score is 7.0, reflecting high severity, with attack vector classified as local (AV:L), attack complexity high (AC:H), privileges required low (PR:L), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability all rated high (C:H/I:H/A:H). No known exploits in the wild have been reported to date. The vulnerability affects industrial control system (ICS) software used for operator terminal management and human-machine interface (HMI) operations, which are critical components in industrial automation environments. The flaw could be exploited during project migration, a routine operation in system maintenance or upgrades, making it a significant risk if local access is obtained by a malicious insider or through lateral movement after initial compromise.

For European organizations, especially those in critical infrastructure sectors such as energy, manufacturing, and utilities, this vulnerability poses a significant risk. Schneider Electric's EcoStruxure platform is widely deployed across Europe for industrial automation and control. Exploitation could allow attackers to execute arbitrary code, potentially leading to disruption of industrial processes, data theft, or sabotage. The high impact on confidentiality, integrity, and availability means that operational technology (OT) environments could face downtime, safety hazards, or loss of sensitive operational data. Given the local access requirement, the threat is more pronounced in environments where internal network segmentation is weak or where insider threats exist. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time. The vulnerability could also be leveraged as part of a multi-stage attack to escalate privileges or move laterally within industrial networks, increasing the potential damage.

Apply the latest patches or hotfixes provided by Schneider Electric as soon as they become available, prioritizing updates beyond V3.3 Hotfix 1. Implement strict access controls and network segmentation to limit local user access to systems running EcoStruxure Operator Terminal Expert and Pro-face BLUE, reducing the risk of unauthorized local exploitation. Enforce the principle of least privilege for users with local access to these systems, ensuring that only trusted personnel have the necessary rights to perform project migrations. Monitor and audit project migration activities and SQL query executions within the affected applications to detect anomalous or unauthorized operations. Use application whitelisting and endpoint protection solutions to detect and prevent execution of unauthorized code resulting from exploitation attempts. Conduct regular security awareness training for personnel with access to industrial control systems to recognize and report suspicious activities. Establish incident response procedures specific to ICS environments to quickly contain and remediate any exploitation attempts. Consider deploying host-based intrusion detection systems (HIDS) on affected terminals to monitor for unusual behavior indicative of exploitation.