14 DAY TRIAL // Schneider Electric has finally patched a hard-coded credentials vulnerability in the Schneider Electric Quantum Ethernet Module. The company has published patches and firmware upgrades for this and other affected products.
Why do I say “finally”? That’s because the issue was discovered in December 2011. At the time, independent security researcher Rubén Santamarta warned that the vulnerability could be leveraged by a remote hacker to access the FTP service, the Telnet port and the Windriver Debug port.
“Schneider Electric has created firmware upgrades that resolve the Telnet and Windriver debug port vulnerabilities for all affected products by removing the Telnet and Windriver services from these modules,” an ICS-CERT advisory reads.
Schneider Electric notes that the removal of the two services should not impact the product’s functionalities since they were installed only for advanced troubleshooting, not for customer use.
It's worth noting that this particular vulnerability was partially patched in June 2013.