CVE-2019-6855

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

7.3HIGH

EPSS

0.2%

top 59.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider-electric Ecostruxure Control Expert Schneider-electric Modicon M340 Bmxp341000 Firmware Schneider-electric Modicon M340 Bmxp342000 Firmware +19 more

Timeline

PublishedJan 6

Latest updateMay 24

Description

Incorrect Authorization vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20) , and Modicon M580 (all versions prior to V3.10), which could cause a bypass of the authentication process between EcoStruxure Control Expert and the M340 and M580 controllers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages22 packages

▶NVDschneider-electric/ecostruxure_control_expert< 14.1+1

▶NVDschneider-electric/modicon_m340_bmxp341000_firmware< 3.20

▶NVDschneider-electric/modicon_m340_bmxp342000_firmware< 3.20

▶NVDschneider-electric/modicon_m340_bmxp342020_firmware< 3.20

▶NVDschneider-electric/modicon_m580_bmeh582040_firmware< 3.10

🔴Vulnerability Details

GHSA

GHSA-f79p-hq3g-prjw: An Improper Authorization - CWE-285 vulnerability exists in EcoStruxure? Control Expert V14↗2022-05-24

▶

CVEList

CVE-2019-6855: Incorrect Authorization vulnerability exists in EcoStruxure Control Expert (all versions prior to 14↗2020-01-06

▶