VYPR
advisoryPublished Jun 26, 2026· Updated Jul 1, 2026· 1 source

Critical Vulnerability in Schneider Electric License Manager Exposes Industrial Facilities to SYSTEM-Level Compromise

A critical flaw in Schneider Electric's Floating License Manager, CVE-2024-2658, allows local attackers to gain NT AUTHORITY\SYSTEM privileges, potentially disrupting industrial operations.

A critical vulnerability, identified as CVE-2024-2658, has been discovered in Schneider Electric's Floating License Manager (FLM), specifically within the FlexNet Publisher component. This flaw, classified as CWE-427 (Uncontrolled Search Path Element), poses a significant risk to industrial automation systems by enabling local, unprivileged users to escalate their privileges to NT AUTHORITY\SYSTEM. Successful exploitation could lead to the compromise of industrial control systems, disruption of operations, and lateral movement within sensitive networks.

The vulnerability arises from the way the FlexNet Publisher component, used by Schneider Electric FLM for license management, handles its OpenSSL configuration. The application references an OpenSSL configuration file (openssl.cnf) at a hardcoded path without adequate access controls. This allows a local attacker, who can create directories on the system drive, to manipulate this path. By crafting a malicious DLL and placing it in a location that the lmadmin.exe process will load, an attacker can execute arbitrary code within the context of the license management service.

FlexNet Publisher, a product from Flexera Software, is integrated into numerous industrial solutions to manage software licenses. In versions up to and including 11.19.6.0, it fails to properly restrict low-privileged users from modifying or replacing the openssl.cnf file. The lmadmin.exe service, which runs as NT AUTHORITY\LOCAL SERVICE, is configured to load a custom DLL specified in this configuration file. This mechanism, intended for legitimate license management, becomes a critical hazard when exploited.

The exploit chain begins with an attacker who has local code execution capabilities on a machine running the vulnerable Schneider Electric FLM. By leveraging default Windows NTFS permissions, which often allow authenticated users to create directories on the root of the system drive, an attacker can recreate the expected directory structure. They then place a malicious DLL within this structure and update the openssl.cnf file to point to it.

When the lmadmin.exe process starts or reinitializes its OpenSSL components, it reads the attacker-controlled openssl.cnf. Upon finding the dynamic_path parameter, it loads the specified malicious DLL. Since the lmadmin.exe process runs with elevated privileges, the attacker's code executes with those privileges. Under certain conditions, this can lead to a full escalation to NT AUTHORITY\SYSTEM, granting the attacker complete control over the host system.

The impact of such a compromise is severe for industrial environments. Gaining SYSTEM privileges allows attackers to access sensitive configuration files, steal credentials, and potentially move laterally to other critical systems like engineering workstations. Furthermore, attackers can disrupt the license server itself, rendering essential engineering and maintenance software unusable, thereby halting production or critical operations.

Schneider Electric FLM also includes an embedded web portal for administration. Because this portal shares the same address space as lmadmin.exe, any code loaded via the FlexNet Publisher vulnerability executes directly within the lmadmin.exe process. This provides an avenue for attackers to intercept credentials for the administration portal, further expanding their attack surface and control over the industrial network.

To mitigate this risk, organizations should ensure that file system permissions on critical directories are properly restricted. Applying the latest security patches from Schneider Electric and Flexera is crucial. Additionally, monitoring for unusual file modifications in expected OpenSSL configuration paths and unusual process behavior associated with lmadmin.exe can help detect potential exploitation attempts.

Synthesized by Vypr AI