Nine vulnerabilities, four of which are deemed of “high severity,” have been uncovered and patched in Schweitzer Engineering Laboratories’ (SEL) electric power management products by researchers at industrial cybersecurity firm Nozomi Networks.
SEL, a U.S.-based company serving the electric power sector, produces software products like SEL-5030 acSELerator QuickSet and SEL-5037 Grid Configurator for configuring and managing power system protection, control, metering, and monitoring. The most critical vulnerability, CVE-2023-31171, enables arbitrary code execution when an attacker convinces a user to import a specially crafted device configuration file. This flaw can be combined with CVE-2023-31175 to escalate privileges.
Exploitation by malicious insiders or external threat actors through social engineering could lead to data theft, surveillance, device manipulation, and network lateral movement. Another serious issue allows arbitrary command execution and device configuration changes via a link click or by setting up a watering hole that victims are likely to visit. SEL has issued software updates to address these vulnerabilities, following a previous discovery of 19 security holes in their products earlier this year by Nozomi Networks.
These vulnerabilities could potentially enable attackers to tamper with device functionality, manipulate information displayed to operators, and access other systems using the same credentials, posing risks to power infrastructure security.