Schneider-Electric: Security Vulnerabilities
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path
Traversal’) vulnerability exists that could allow an authenticated user with access to the device’s
web interface to corrupt files and impact device functionality when sending a crafted HTTP
request.
CVSS Score
8.1
EPSS Score
0.006
Published
2024-06-12
CWE-668: Exposure of the Resource Wrong Sphere vulnerability exists that exposes a SSH
interface over the product network interface. This does not allow to directly exploit the product or
make any unintended operation as the SSH interface access is protected by an authentication
mechanism. Impacts are limited to port scanning and fingerprinting activities as well as attempts
to perform a potential denial of service attack on the exposed SSH interface.
CVSS Score
6.5
EPSS Score
0.002
Published
2024-06-12
CWE-552: Files or Directories Accessible to External Parties vulnerability exists which may
prevent user to update the device firmware and prevent proper behavior of the webserver when
specific files or directories are removed from the filesystem.
CVSS Score
6.5
EPSS Score
0.002
Published
2024-06-12
CWE-924: Improper Enforcement of Message Integrity During Transmission in a
Communication Channel vulnerability exists that could cause a denial of service and loss of
confidentiality, integrity of controllers when conducting a Man in the Middle attack.
CVSS Score
8.1
EPSS Score
0.002
Published
2024-02-14
CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause unauthorized
access to a project file protected with application password when opening the file with
EcoStruxure Control Expert.
CVSS Score
7.7
EPSS Score
0.001
Published
2024-02-14
CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized
access to the project file in EcoStruxure Control Expert when a local user tampers with the
memory of the engineering workstation.
CVSS Score
7.1
EPSS Score
0.001
Published
2024-02-14
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker
logged in with a user level account to gain higher privileges by providing a harmful serialized
object.
CVSS Score
7.8
EPSS Score
0.002
Published
2024-01-09
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulnerability exists that could cause arbitrary file deletion upon service restart when accessed by
a local and low-privileged attacker.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-12-14
A CWE-494: Download of Code Without Integrity Check vulnerability exists that could allow a
privileged user to install an untrusted firmware.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-12-14
A CWE-601:URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability exists that could
cause disclosure of information through phishing attempts over HTTP.
CVSS Score
8.2
EPSS Score
0.002
Published
2023-12-14