← Back to all briefings

Infrastructure · Credibility 45/100 · · 4 min read

Infrastructure Briefing — jSerialComm search-path flaws expose EcoStruxure IT Gateway operators

CISA’s ICSA-20-126-01 bulletin explains how Fazecast’s jSerialComm library and Schneider Electric’s EcoStruxure IT Gateway inherit an uncontrolled search path, letting unsigned DLLs execute as soon as technicians connect to serial equipment.

Executive briefing: jSerialComm provides serial connectivity for Java-based OT dashboards and Schneider’s EcoStruxure IT Gateway, but ICSA-20-126-01 confirms the library trusts whatever DLL sits in its search path. An unauthenticated attacker who drops a malicious DLL with the right name can hijack the gateway or the Windows server hosting the software.

Containment checklist

  • Upgrade both upstream components. Patch jSerialComm to 2.3+ and EcoStruxure IT Gateway to 1.8.1+ in the same change window so the runtime actually loads the signed binaries the vendors published.
  • Restrict write access around the service. Remove local admin privileges from operators, keep antivirus and EDR watching the program directories, and ensure only signed DLLs can land in the jSerialComm path.
  • Harden serial jump hosts. Treat the workstations and gateways as critical OT assets—enforce MFA for console access, keep them off the corporate domain, and monitor for unexpected DLL loads.

Response and assurance

  • Scan for rogue DLLs. Use file integrity monitoring to detect unapproved libraries under EcoStruxure IT Gateway and any other product bundling jSerialComm.
  • Log service execution. Capture Windows process creation events and Java stack traces from the gateway so SOC teams can tie suspicious DLL loads back to a specific maintenance session.
  • Update supplier questionnaires. Ask vendors whether they embed jSerialComm or similar serial middleware and require proof that the latest library release is in their SBOM.

Source excerpts

Primary — arbitrary code risk: “Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on a targeted system.”

CISA — ICSA-20-126-01

Primary — vendor guidance: “Fazecast, Inc., recommends users update jSerialComm to Version 2.3 or later…Schneider Electric recommends users upgrade EcoStruxure IT Gateway to Version 1.8.1 or later.”

CISA — ICSA-20-126-01
  • ICSA-20-126-01
  • jSerialComm
  • EcoStruxure IT Gateway
Back to curated briefings