Exploring the world of legacy building technology is like stepping into a digital time capsule that the modern internet completely forgot. We were scanning the vast, sprawling reaches of the global network when suddenly, we came across a true industry classic: a Schneider SmartStruxure controller. This device is a "vintage" piece of engineering from a different era of connectivity, and unlike modern, high-maintenance enterprise applications that demand complex passwords and multi-factor authentication codes, its architecture remains refreshingly simple. It does not implement the modern "Zero Trust" hurdles we see today; in fact, the system does not even require a basic identity check before granting full access to its internal environment.

It represents an old-fashioned philosophy of networking where the virtual front door was left completely unlocked and the technical welcome mat was always out for any incoming connection. Regardless of who is connecting or where the request originates, this specific Schneider system greets every incoming packet with an open interface and a wide-open command shell, ready to expose its internal logic and configurations without a single moment of hesitation. While the rest of the technology world has moved on to cold, locked-down encryption and rigid security protocols, these retired devices are still out there in the wild, sitting quietly like an abandoned switchboard at a station, ready to respond "yes" to anyone who knows the right port to call!

The Discovery: Uncovering the Open Door with Modat Magnify

While conducting deep-dive research into Schneider Electric assets using Modat Magnify, we stumbled upon a very interesting pattern. Several Schneider Electric devices were exposed with Port 23 and Port 24 wide open, displaying two specific banners: SCL DPort Server and Welcome to the SmartStruxure Lua shell.

None
None

To see how widespread this was, we crafted a custom signature to scan the global landscape:

banner~"SCL DPort Server" or banner~"Welcome to the SmartStruxure Lua shell"
None

The results were eye-opening, returning 19 active instances across the web. Further investigation confirmed these are indeed legacy Schneider Electric devices. The vulnerability is as simple as it is dangerous: there is absolutely no authentication mechanism in place to safeguard these interfaces.

An attacker can gain immediate, administrative-level access just by initiating a simple connection:

telnet <IP> 23

or

telnet <IP> 24
None

Once connected, you aren't just a guest; you are the manager. Without ever being asked for a password, an attacker can execute arbitrary Lua commands directly on the control server. This grants total control over the building management functions, allowing for the manipulation of critical systems or the disruption of operations with just a few keystrokes.

Impact:

Gaining unauthenticated access to the Lua shell allows an attacker to execute arbitrary commands with full administrative privileges over the building management system. This level of control enables the direct manipulation of critical infrastructure, such as HVAC, lighting, and power systems, potentially leading to physical damage or unsafe environments. Furthermore, because these devices are connected to internal networks, they can serve as a persistent backdoor for attackers to pivot and compromise other sensitive OT or IT assets.

The Disclosure Journey: Working with CISA and Schneider Electric

We reported these findings to CISA Industrial Control Systems (ICS) to ensure the discovery was handled responsibly. We want to extend a sincere thank you to both the CISA coordination team and the Schneider Electric security analysts for their time and for maintaining an open line of communication throughout the process.

The vendor explained that these specific SmartStruxure controllers are End-of-Life (EOL) and are no longer supported for active updates. We fully accept their explanation regarding the product's lifecycle and appreciate the transparency provided by their team. Most importantly, we are grateful that they granted us permission to share these findings publicly so that the community can be informed and take the necessary steps to secure their legacy infrastructure.

None

Final Thoughts: A Legacy of Trust

In the rapidly evolving world of cybersecurity, we often focus on the newest threats and the most complex exploits. However, this journey through Schneider Electric's legacy hardware reminds us that the "forgotten" devices of yesterday still hold the keys to the infrastructure of today. My research into the unauthenticated Lua Shell wasn't just about finding a hole in a fence; it was about understanding how we can better protect the systems that have quietly served us for decades.

The Road Ahead

Awareness: We must recognize that "old" does not mean "offline." Legacy systems remain a critical part of our global infrastructure. Protection: When official patches are no longer an option, it is up to us to implement manual security measures and network segmentation. Community: By sharing this knowledge, we ensure that our shared infrastructure remains safe for everyone.

Securing our world is a team sport. By bringing light to these "friendly" vintage systems, we can work together to ensure they continue to run safely in their retirement. Stay curious, stay ethical, and always remember to check the back door!