CVE-2022-41670 - Path Traversal in SGIUtility Leads to DLL Hijacking & Code Execution

CVE-2022-41670 is a critical security vulnerability that affects certain versions of Schneider Electric's EcoStruxure Operator Terminal Expert and Pro-face BLUE products. The vulnerability lies in the SGIUtility component of these systems and allows local attackers to load and execute malicious code via path traversal. This simple but dangerous exploit can grant persistent remote access or full compromise of industrial control workstations.

Quick Explainer: What is Path Traversal?

Path Traversal (aka Directory Traversal) happens when an application takes user input but doesn’t properly validate or limit the filename/path. An attacker can trick the app into loading or writing files in locations outside of what developers intended — sometimes leading to reading sensitive files, or (as in this case) loading malicious code as a DLL.

CWE-22: Improper Limitation of a Pathname to a Restricted Directory  
https://cwe.mitre.org/data/definitions/22.html

Example path traversal input:  

../../../malicious.dll

If the application just appends that to a trusted base directory and loads it, you have a problem.

Pro-face BLUE (V3.3 Hotfix 1 or earlier)

These are widely used in industrial and HMI (Human-Machine Interface) deployments.

Schneider Electric Security Notification:  
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-322-01

The Flawed Behavior

The vulnerable app’s SGIUtility component searches for DLLs using untrusted, user-controlled paths, and does not verify that the DLL loaded actually comes from a safe, expected directory. This means an attacker with access to the system (even just local user privileges) can plant a malicious DLL in a location the app will check, or manipulate where it checks using path traversal (like adding ../ sequences). When the app loads the DLL, it unwittingly runs the attacker's code.

Proof of Concept (PoC) — Local Exploit

Here's a simple illustration in Python showing how path traversal works. In the real products, this happens at the level of Windows DLL loading.

Suppose there’s a naive DLL loader (pseudocode)

import os

def load_plugin(plugin_name):
    base_path = "C:\\Program Files\\SGIUtility\\plugins\\"
    plugin_path = os.path.join(base_path, plugin_name)
    # INSECURE: Attacker can inject path traversal
    load_library(plugin_path)

Now, if the app is called with

malicious_name = "..\\..\\..\\Users\\Public\\malicious.dll"
load_plugin(malicious_name)

The app ends up trying to load

C:\Program Files\SGIUtility\plugins\..\..\..\Users\Public\malicious.dll
==> C:\Users\Public\malicious.dll

`c

// malicious_dll.c

MessageBox(, "Exploit triggered!", "CVE-2022-41670", MB_OK);

// run reverse shell or other payload here

return TRUE;

}

Why is This Bad?

- Code execution: Attacker’s code runs with the privileges of the running app — often very high (SYSTEM in some cases).

Industrial Risk: These apps run critical industrial operations and HMIs.

Anyone with local access — including a malware process, an unprivileged user, or a cyber-criminal with temporary foothold — can escalate the attack.

Exploit Demo Video & Resources (External)

- Schneider Security Advisory SEVD-2022-322-01
- NIST NVD CVE-2022-41670
- CWE-22: Path Traversal
- DLL Hijacking explained (external)

How To Check If You’re Vulnerable

- Are you running EcoStruxure Operator Terminal Expert or Pro-face BLUE at Version 3.3 Hotfix 1 or older?

Does your workstation have non-admin local users who shouldn’t be able to run code as admin?

- Can you find DLLs in untrusted/writable directories loaded by the app? (Tools: Sysinternals Procmon, @dllsearchorder)

UPDATE: Immediately update to 3.3 Hotfix 2 or later for both products.

- Limit file and directory permissions: Only trusted admins should write to any directory where the app loads DLLs from.
- Harden Windows to restrict DLL search order (MSDN docs).

Conclusion

CVE-2022-41670 is a classic but dangerous local privilege escalation vulnerability via path traversal and DLL hijacking. In critical industrial environments, ignoring this could mean letting attackers run code as SYSTEM, alter HMI logic, or disrupt operations. Fixing is as easy as a version update, but awareness is the first step.

References

- Schneider Electric Advisory: SEVD-2022-322-01
- NIST NVD: CVE-2022-41670
- CWE-22 Path Traversal: MITRE CWE-22

Questions, comments, or need help auditing your systems? Let me know below!


*This post is exclusive and researched for clarity and practical action. Please share responsibly.*

Timeline

Published on: 11/04/2022 14:15:00 UTC
Last modified on: 11/08/2022 16:20:00 UTC