The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session.
Fixes

Solution

Schneider Electric has produced an updated firmware, labelled V1.60 IR 04. This firmware release moves the jar files directory in a secure area. The new firmware also includes the ability to disable the FTP server. This updated firmware can be downloaded at: http://www.schneider-electric.com/download/WW/EN/details/681790255-TSXETG30xx-V160-IR4/?showAsIframe... http://www.schneider-electric.com/download/WW/EN/details/681790255-TSXETG30xx-V160-IR4/


Workaround

Schneider Electric recommends the FTP server be deactivated when not needed. The firmware update does not remove the hard-coded credentials. Narendra Shinde also found that configuration files were accessible using default credentials. Schneider Electric recommends users change the default login credentials. This will protect configuration files from unauthorized access.

History

Fri, 05 Sep 2025 21:30:00 +0000

Type Values Removed Values Added
Title Schneider Electric ETG3000 FactoryCast HMI Gateway Use of Hard-coded Credentials
Weaknesses CWE-798
References

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2025-09-05T21:18:01.615Z

Reserved: 2014-12-02T00:00:00

Link: CVE-2014-9198

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2015-01-27T19:59:10.810

Modified: 2025-09-05T22:15:33.430

Link: CVE-2014-9198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.