Skip to main content
CybersecurityVulnerability Management

Schneider Electric Software Vulnerability Exposes Industrial Facilities to Risk

Brightly lit industrial facility server room with computer workstations and equipment.

"The CVE-2024-2658 vulnerability was discovered in 2024 within the FlexNet Publisher component of the Schneider Electric Floating License Manager," — Securelist.

How FlexNet Publisher and lmadmin.exe load third‑party DLLs

The vulnerability is a CWE‑427 Uncontrolled Search Path Element rooted in a hardcoded OpenSSL configuration path inside FlexNet Publisher as used by Schneider Electric Floating License Manager (FLM). The application looks for an openssl.cnf at a fixed path in C:\cygwin\home\nightly\LMADMI~1.4\tier1\lmadmin\contrib\openssl\_RELEA~1\openssl\openssl.cnf. If that file contains a [engine] section with a dynamic_path parameter, FlexNet Publisher will load the specified DLL directly into the lmadmin.exe process space without performing validation.

lmadmin.exe is a 32‑bit daemon registered as the Windows service lmadminSchneider and configured to run automatically under NT AUTHORITY\LOCAL SERVICE. The FLM web portal is embedded in the same lmadmin.exe address space, which means any code injected into lmadmin.exe can interact with the portal and potentially intercept credentials for its Administration interface.

The exploit chain: from an authenticated user to NT AUTHORITY\SYSTEM

Exploitation requires local code execution by a non‑administrator. By default, authenticated users can create folders in the root of C:\; a clean FLM installation does not create the C:\cygwin structure that the binary checks. An attacker who can recreate that directory tree and place a crafted openssl.cnf pointing to a malicious DLL (for example, dynamic_path = C:\\Users\\public\\malicious.dll) can cause FlexNet Publisher to load the DLL when lmadmin.exe initializes OpenSSL.

Loading occurs on service startup or restart — including after a reboot — at which point the malicious DLL executes in the context of the lmadminSchneider service (NT AUTHORITY\LOCAL SERVICE). Because the process typically holds SeImpersonatePrivilege, the chain can culminate, under the right interaction conditions (RPC, COM, or named pipes), in privilege escalation to NT AUTHORITY\SYSTEM via impersonation abuse techniques such as the Potato exploit family. The end state: local code execution within a service and, potentially, full SYSTEM privileges.

Operational consequences for license availability and engineering workstations

The immediate operational impact is twofold. First, an attacker can disrupt the license server itself, affecting availability of engineering software and maintenance that rely on floating licenses. Second, once code runs inside lmadmin.exe — and given the embedded web portal — attackers can intercept Administration credentials and use them to expand laterally to engineering workstations and other nodes, depending on network connectivity and stored credentials.

The vulnerability therefore threatens both local host integrity (configuration files, secrets, system data) and broader operational continuity where FLM is used to manage licenses for PLC programming, HMIs, and SCADA modules.

Mitigations: patches, filesystem ACLs, and hosting guidance

Securelist recommends several concrete steps. Where floating licenses are not required, remove Schneider Electric FLM or avoid installing it on workstations; prefer licenses tied to specific machines where feasible. If FLM is required, host it on a dedicated server with strictly controlled user access.

Administrators should create the C:\cygwin directory with an administrative account and explicitly deny write permissions to the Authenticated Users group to prevent staging a rogue openssl.cnf at the hardcoded path. Crucially, upgrade Schneider Electric FLM to version 3.0.0.0 or later to obtain the patched component.

How technologists, procurement, and engineers should respond

  • Technologists and security teams: scan endpoints for the vulnerable software version (KICS OVAL task is cited as an option), monitor for creation of the specific openssl.cnf path and for lmadmin.exe attempting to load unknown DLLs, and, if exploitation is suspected, isolate the device and search for suspicious files, unknown processes, or external callbacks.
  • Procurement and operations leaders: avoid deploying FLM on general‑purpose workstations, insist FLM be hosted on dedicated servers with restricted access, and prioritize upgrades to FLM version 3.0.0.0 or later when evaluating vendor updates.
  • Engineering and maintenance staff: be aware that loss of the license server can directly disrupt engineering software and maintenance workflows and coordinate with security teams before applying reboots or service restarts on machines hosting lmadminSchneider.

Detection and response: what Kaspersky Industrial CyberSecurity reports

Kaspersky Industrial CyberSecurity (KICS) is described as detecting exploitation attempts against this vulnerability. The KICS Vulnerability Manager flags the vulnerable software version, while behavioral engines track stages from rogue configuration file creation to the service loading a malicious library. An example EPP alert lists the target process as C:\Program Files (x86)\Schneider Electric\Floating License Manager\FLEXnet Publisher License Server Manager\lmadmin.exe with MD5 c3f57667d9e8e1b2375ba09cdf71cac8 and SHA256 9dab845704d1999ec8ed089594cfd2173a08057f1caf9a2346c22c81039dbb7a, reported as "Untreatable" by the automated protection component. KICS mitigation guidance includes event analysis, isolation, installation of security updates, and full system scans.

The vulnerability is a reminder that hardcoded paths and unchecked dependency loading can convert routine file‑system permissions into an escalation path with broad operational consequences. Upgrade the component, tighten C:\ ACLs, and apply behavioral monitoring to detect the chain early.

Original Securelist report