Vulnerability Details CVE-2020-25176
Some commands used by the Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote, unauthenticated attacker to traverse an application’s directory, which could lead to remote code execution.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.026
EPSS Ranking 85.2%
CVSS Severity
CVSS v3 Score 9.1
CVSS v2 Score 9.3
References
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04
- https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699
- https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01
- https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04
- https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699
- https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01
- https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf
Products affected by CVE-2020-25176
-
cpe:2.3:a:rockwellautomation:aadvance_controller:*
-
cpe:2.3:a:rockwellautomation:isagraf_free_runtime:*
-
cpe:2.3:a:rockwellautomation:isagraf_runtime:*
-
cpe:2.3:h:rockwellautomation:micro810:-
-
cpe:2.3:h:rockwellautomation:micro820:-
-
cpe:2.3:h:rockwellautomation:micro830:-
-
cpe:2.3:h:rockwellautomation:micro850:-
-
cpe:2.3:h:rockwellautomation:micro870:-
-
cpe:2.3:h:schneider-electric:cp-3:-
-
cpe:2.3:h:schneider-electric:easergy_c5:-
-
cpe:2.3:h:schneider-electric:easergy_t300:-
-
cpe:2.3:h:schneider-electric:epas_gtw:-
-
cpe:2.3:h:schneider-electric:mc-31:-
-
cpe:2.3:h:schneider-electric:micom_c264:-
-
cpe:2.3:h:schneider-electric:pacis_gtw:-
-
cpe:2.3:h:schneider-electric:saitel_dp:-
-
cpe:2.3:h:schneider-electric:saitel_dr:-
-
cpe:2.3:o:rockwellautomation:micro810_firmware:-
-
cpe:2.3:o:rockwellautomation:micro820_firmware:-
-
cpe:2.3:o:rockwellautomation:micro830_firmware:-
-
cpe:2.3:o:rockwellautomation:micro850_firmware:-
-
cpe:2.3:o:rockwellautomation:micro870_firmware:-
-
cpe:2.3:o:schneider-electric:easergy_c5_firmware:*
-
cpe:2.3:o:schneider-electric:easergy_t300_firmware:-
-
cpe:2.3:o:schneider-electric:easergy_t300_firmware:1.5.2
-
cpe:2.3:o:schneider-electric:easergy_t300_firmware:2.7
-
cpe:2.3:o:schneider-electric:easergy_t300_firmware:2.7.1
-
cpe:2.3:o:schneider-electric:epas_gtw_firmware:6.4
-
cpe:2.3:o:schneider-electric:micom_c264_firmware:*
-
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:5.1
-
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:5.2
-
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.1
-
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.3
-
cpe:2.3:o:schneider-electric:saitel_dp_firmware:*
-
cpe:2.3:o:schneider-electric:saitel_dr_firmware:*
-
cpe:2.3:o:schneider-electric:scd2200_firmware:*
-
cpe:2.3:o:xylem:multismart_firmware:*