CVE-2017-6028

CWE-522 — Insufficiently Protected Credentials3 documents3 sources

Severity

9.8CRITICAL

EPSS

0.3%

top 45.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider-electric Modicon M241 Firmware Schneider-electric Modicon M251 Firmware

Timeline

PublishedJun 30

Latest updateMay 13

Description

An Insufficiently Protected Credentials issue was discovered in Schneider Electric Modicon PLCs Modicon M241, all firmware versions, and Modicon M251, all firmware versions. Log-in credentials are sent over the network with Base64 encoding leaving them susceptible to sniffing. Sniffed credentials could then be used to log into the web application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDschneider-electric/modicon_m241_firmware4.0.3.20

▶NVDschneider-electric/modicon_m251_firmware4.0.3.20

▶CVEListV5schneider_electric_modicon_plcsSchneider Electric Modicon PLCs

🔴Vulnerability Details

GHSA

GHSA-55h6-p6m7-f4h7: An Insufficiently Protected Credentials issue was discovered in Schneider Electric Modicon PLCs Modicon M241, all firmware versions, and Modicon M251,↗2022-05-13

▶

CVEList

CVE-2017-6028: An Insufficiently Protected Credentials issue was discovered in Schneider Electric Modicon PLCs Modicon M241, all firmware versions, and Modicon M251,↗2017-06-30

▶