cbcvebase.
CVE-2018-7522
published 2018-05-04

CVE-2018-7522: In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, when a system call is made, registers are stored to a fixed memory location…

PriorityP277medium6.7CVSS 3.0
AVLACLPRHUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.43%
34.5th percentile
In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, when a system call is made, registers are stored to a fixed memory location. Modifying the data in this location could allow attackers to gain supervisor-level access and control system states.

Affected

2 ranges
VendorProductVersion rangeFixed in
schneider-electrictriconex_tricon_mp_3008_firmware10.0 – 10.0-10.4
schneider_electrictriconex_tricon

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://ics-cert.us-cert.gov/sites/default/files/file_attach/MAR-17-352-01.yara
  • HatMan malware specifically targets CVE-2018-7522 and CVE-2018-8872 on Triconex Tricon MP Model 3008 firmware 10.0-10.4; presence of HatMan binary components can be detected using the published YARA rule (MAR-17-352-01.yara).
  • CVE-2018-7522 exploitation involves writing attacker-controlled data to a fixed memory location used to store registers during system calls, enabling supervisor-level privilege escalation on the Tricon MP Model 3008.
  • HatMan malware requires unrestricted access to the safety network; monitor for unexpected remote or physical access to the safety network as a precursor indicator.
  • ·CVE-2018-7522 only affects Triconex Tricon MP Model 3008 firmware versions 10.0 through 10.4; systems running Tricon CX v11.4 or later are not affected.
  • ·Exploitation requires the attacker to already have local high-privilege access (CVSS AV:L/PR:H), limiting remote-only attack scenarios despite the advisory noting remote exploitability in the context of HatMan.
  • ·Schneider Electric's HatMan malware detection service requires customers to have a support contract in place as of February 1, 2019; data must be sent to Schneider Electric for analysis.

CVSS provenance

nvdv3.06.7MEDIUMCVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.