Schneider-Electric Ecostruxure Control Expert vulnerabilities
18 known vulnerabilities affecting schneider-electric/ecostruxure_control_expert.
Total CVEs
18
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH8MEDIUM6
Vulnerabilities
Page 1 of 1
CVE-2023-27975HIGHCVSS 7.1fixed in 16.02024-02-14
CVE-2023-27975 [HIGH] CWE-522 CVE-2023-27975:
CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized
ac
CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized
access to the project file in EcoStruxure Control Expert when a local user tampers with the
memory of the engineering workstation.
nvd
CVE-2023-6409HIGHCVSS 7.7fixed in 16.02024-02-14
CVE-2023-6409 [HIGH] CWE-798 CVE-2023-6409:
CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause unauthorized
access to
CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause unauthorized
access to a project file protected with application password when opening the file with
EcoStruxure Control Expert.
nvd
CVE-2023-6408HIGHCVSS 8.1fixed in 16.02024-02-14
CVE-2023-6408 [HIGH] CWE-924 CVE-2023-6408:
CWE-924: Improper Enforcement of Message Integrity During Transmission in a
Communication Channel v
CWE-924: Improper Enforcement of Message Integrity During Transmission in a
Communication Channel vulnerability exists that could cause a denial of service and loss of
confidentiality, integrity of controllers when conducting a Man in the Middle attack.
nvd
CVE-2023-27976HIGHCVSS 8.8≥ 15.12023-04-18
CVE-2023-27976 [HIGH] CWE-668 CVE-2023-27976:
A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause
remote code e
A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause
remote code execution when a valid user visits a malicious link provided through the web
endpoints. Affected Products: EcoStruxure Control Expert (V15.1 and above)
nvd
CVE-2023-1548MEDIUMCVSS 5.5≥ 15.12023-04-18
CVE-2023-1548 [MEDIUM] CWE-269 CVE-2023-1548:
A CWE-269: Improper Privilege Management vulnerability exists that could cause a local user to
perf
A CWE-269: Improper Privilege Management vulnerability exists that could cause a local user to
perform a denial of service through the console server service that is part of EcoStruxure Control Expert. Affected Products: EcoStruxure Control Expert (V15.1 and above)
nvd
CVE-2022-37302MEDIUMCVSS 5.5fixed in 15.1v15.12022-09-13
CVE-2022-37302 [MEDIUM] CWE-119 CVE-2022-37302: A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exi
A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a crash of the Control Expert software when an incorrect project file is opened. Affected Products: EcoStruxure Control Expert(V15.1 HF001 and prior).
nvd
CVE-2022-37300CRITICALCVSS 9.8fixed in 15.12022-09-12
CVE-2022-37300 [CRITICAL] CWE-640 CVE-2022-37300: A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could c
A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoSt
nvd
CVE-2022-26507CRITICALCVSS 9.8fixed in 15.1v15.12022-04-14
CVE-2022-26507 [CRITICAL] CVE-2022-26507: A heap-based buffer overflow exists in XML Decompression DecodeTreeBlock in AT&T Labs Xmill 0.7. A c
A heap-based buffer overflow exists in XML Decompression DecodeTreeBlock in AT&T Labs Xmill 0.7. A crafted input file can lead to remote code execution. This is not the same as any of: CVE-2021-21810, CVE-2021-21811, CVE-2021-21812, CVE-2021-21815, CVE-2021-21825, CVE-2021-21826, CVE-2021-21828, CVE-2021-21829, or CVE-2021-21830. NOTE: This vulnerability
nvd
CVE-2021-22797HIGHCVSS 7.8fixed in 15.12022-04-13
CVE-2021-22797 [HIGH] CWE-22 CVE-2021-22797: A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerabilit
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file is loaded in the engineering software. Affected Product: EcoStruxure Contr
nvd
CVE-2022-24323MEDIUMCVSS 5.9fixed in 15.0v15.02022-03-09
CVE-2022-24323 [MEDIUM] CWE-754 CVE-2022-24323: A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could caus
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause a disruption of communication between the Modicon controller and the engineering software, when an attacker is able to intercept and manipulate specific Modbus response data. Affected Product: EcoStruxure Process Expert (V2021 and prior), EcoStruxur
nvd
CVE-2022-24322MEDIUMCVSS 5.9fixed in 15.0v15.02022-03-09
CVE-2022-24322 [MEDIUM] CWE-119 CVE-2022-24322: A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exi
A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a disruption of communication between the Modicon controller and the engineering software when an attacker is able to intercept and manipulate specific Modbus response data. Affected Product: EcoStruxure Control Expert (V15.0 SP1
nvd
CVE-2021-22779CRITICALCVSS 9.1fixed in 15.0v15.02021-07-14
CVE-2021-22779 [CRITICAL] CWE-290 CVE-2021-22779: Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions p
Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), SCADAPack RemoteConnect for x70 (all versions), Modicon M580
nvd
CVE-2021-22780HIGHCVSS 7.1fixed in 15.0v15.02021-07-14
CVE-2021-22780 [HIGH] CWE-522 CVE-2021-22780: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all version
Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause unauthorized access to a project
nvd
CVE-2021-22778HIGHCVSS 7.1fixed in 15.0v15.02021-07-14
CVE-2021-22778 [HIGH] CWE-522 CVE-2021-22778: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all version
Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause protected derived function block
nvd
CVE-2021-22781MEDIUMCVSS 5.5fixed in 15.0v15.02021-07-14
CVE-2021-22781 [MEDIUM] CWE-522 CVE-2021-22781: Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all version
Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause a leak of SMTP credential used
nvd
CVE-2021-22782MEDIUMCVSS 5.5fixed in 15.0v15.02021-07-14
CVE-2021-22782 [MEDIUM] CWE-311 CVE-2021-22782: Missing Encryption of Sensitive Data vulnerability exists in EcoStruxure Control Expert (all version
Missing Encryption of Sensitive Data vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause an information leak allowing d
nvd
CVE-2020-7475CRITICALCVSS 9.8≤ 14.02020-03-23
CVE-2020-7475 [CRITICAL] CWE-74 CVE-2020-7475: A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Inj
A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), reflective DLL, vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20), Modicon M580 (all versions prior to V3.10), which, if exploited, co
nvd
CVE-2019-6855HIGHCVSS 7.3fixed in 14.1v14.12020-01-06
CVE-2019-6855 [HIGH] CWE-863 CVE-2019-6855: Incorrect Authorization vulnerability exists in EcoStruxure Control Expert (all versions prior to 14
Incorrect Authorization vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20) , and Modicon M580 (all versions prior to V3.10), which could cause a bypass of the authentication process between EcoStruxure Control Expert and the M340 and M580 controlle
nvd