SEVD-2024-345-02 Harmony HMI and Pro-face HMI products

Schneider Electric is aware of a vulnerability in its Harmony HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7 products used with EcoStruxure™ Operator Terminal Expert Software and PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100 products used with Pro-face BLUE Software. Failure to apply the mitigations provided below may risk various attack scenarios due to Third-Party Component obsolescence, which could result in complete loss of control, Integrity and Confidentiality of the device and operational failure. CVE-2024-11999 has been assigned with a CWE-1104: Use of Unmaintained Third-Party Components vulnerability.