Vulnerability Details CVE-2020-25184
Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x stores the password in plaintext in a file that is in the same directory as the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords, resulting in information disclosure.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 19.0%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 2.1
References
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04
- https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699
- https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01
- https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04
- https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699
- https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01
- https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf
Products affected by CVE-2020-25184
-
cpe:2.3:a:rockwellautomation:aadvance_controller:*
-
cpe:2.3:a:rockwellautomation:isagraf_free_runtime:*
-
cpe:2.3:a:rockwellautomation:isagraf_runtime:*
-
cpe:2.3:h:rockwellautomation:micro810:-
-
cpe:2.3:h:rockwellautomation:micro820:-
-
cpe:2.3:h:rockwellautomation:micro830:-
-
cpe:2.3:h:rockwellautomation:micro850:-
-
cpe:2.3:h:rockwellautomation:micro870:-
-
cpe:2.3:h:schneider-electric:cp-3:-
-
cpe:2.3:h:schneider-electric:easergy_c5:-
-
cpe:2.3:h:schneider-electric:easergy_t300:-
-
cpe:2.3:h:schneider-electric:epas_gtw:-
-
cpe:2.3:h:schneider-electric:mc-31:-
-
cpe:2.3:h:schneider-electric:micom_c264:-
-
cpe:2.3:h:schneider-electric:pacis_gtw:-
-
cpe:2.3:h:schneider-electric:saitel_dp:-
-
cpe:2.3:h:schneider-electric:saitel_dr:-
-
cpe:2.3:o:rockwellautomation:micro810_firmware:-
-
cpe:2.3:o:rockwellautomation:micro820_firmware:-
-
cpe:2.3:o:rockwellautomation:micro830_firmware:-
-
cpe:2.3:o:rockwellautomation:micro850_firmware:-
-
cpe:2.3:o:rockwellautomation:micro870_firmware:-
-
cpe:2.3:o:schneider-electric:easergy_c5_firmware:*
-
cpe:2.3:o:schneider-electric:easergy_t300_firmware:-
-
cpe:2.3:o:schneider-electric:easergy_t300_firmware:1.5.2
-
cpe:2.3:o:schneider-electric:easergy_t300_firmware:2.7
-
cpe:2.3:o:schneider-electric:easergy_t300_firmware:2.7.1
-
cpe:2.3:o:schneider-electric:epas_gtw_firmware:6.4
-
cpe:2.3:o:schneider-electric:micom_c264_firmware:*
-
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:5.1
-
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:5.2
-
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.1
-
cpe:2.3:o:schneider-electric:pacis_gtw_firmware:6.3
-
cpe:2.3:o:schneider-electric:saitel_dp_firmware:*
-
cpe:2.3:o:schneider-electric:saitel_dr_firmware:*
-
cpe:2.3:o:schneider-electric:scd2200_firmware:*
-
cpe:2.3:o:xylem:multismart_firmware:*