cbcvebase.
CVE-2018-8872
published 2018-05-04

CVE-2018-8872: In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program…

PriorityP275high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.31%
81.2th percentile
In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program area without any verification. Manipulating this data could allow attacker data to be copied anywhere within memory.

Affected

2 ranges
VendorProductVersion rangeFixed in
schneider-electrictriconex_tricon_mp_3008_firmware10.0 – 10.4
schneider_electrictriconex_tricon

Detection & IOCsextracted from sources · hover to see the quote

yara
https://ics-cert.us-cert.gov/sites/default/files/file_attach/MAR-17-352-01.yara
  • HatMan malware specifically targets CVE-2018-8872 and CVE-2018-7522 on Schneider Electric Triconex Tricon MP Model 3008 firmware versions 10.0-10.4; detection should focus on this malware family against these specific firmware versions.
  • The vulnerability allows attacker-controlled data to be copied anywhere within memory via unverified system calls reading directly from control program area memory addresses; monitor for anomalous memory write activity in the Tricon control program area.
  • HatMan malware requires unrestricted access to the safety network; monitor for unexpected connections to the safety network from external or non-TriStation hosts.
  • ·Only MP Model 3008 firmware versions 10.0-10.4 are affected; other models or firmware versions are not listed as vulnerable.
  • ·Exploitation is rated as requiring a high skill level despite being remotely exploitable (CVSS v3 base score 9.0, vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.