Yesterday the DHS ICS-CERT published a control system security advisory for the Schneider Electric PowerLogic PM8ECC device. The vulnerability was reported by He Congwen. Schneider has produced a patch that mitigates the vulnerability. There is no indication that Congwen has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to gain access to configuration data on the device. The Schneider Security Notification (note: there are currently problems with this link which may explain why it was not included in the ICS-CERT Advisory) for the vulnerability explains that exploiting the vulnerability will provide the attacker with ‘special user’ data that would allow the attacker to login to the device with full administrator access.