Schneider Electric Security Notification Zelio Soft 2 8 October 2024 Overview Schneider Electric is aware of vulnerabilities in its Zelio Soft 2 product. The Zelio Soft 2 software for Zelio Logic smart relays (SR2/ SR3) enables programming in LADDER language or in function block diagram (FBD) language simulation, monitoring and supervision uploading and downloading of programs output of personalized files automatic compiling of programs. Failure to apply the fix provided below may risk remote code execution, which could result in resource exhaustion, information disclosure, or denial of service. Affected Products and Versions Vulnerability Details CVE ID: CVE-2024-8422 - CVSS v3.1 Base Score: 7.8 - CWE-416: Use After Free vulnerability exists that could cause arbitrary code execution, denial of service and loss of confidentiality & integrity when application user opens a malicious Zelio Soft 2 project file. CVE ID: CVE-2024-8518 - CVSS v3.1 Base Score: 3.3 - CWE-20: Improper Input Validation vulnerability exists that could cause a crash of the Zelio Soft 2 application when a specially crafted project file is loaded by an application user. Note regarding vulnerability details: The severity of vulnerabilities was calculated using the CVSS Base metrics in version 3.1 (CVSS v3.1) without incorporating the Temporal and Environmental metrics. --- Document Reference Number: SEVD-2024-282-06 Page 1 of 4