Schneider Electric Ecostruxure Process Expert vulnerabilities
10 known vulnerabilities affecting schneider_electric/ecostruxure_process_expert.
Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH6MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2025-13905HIGHCVSS 7.0vVersions prior to 20252026-01-29
CVE-2025-13905 [HIGH] CWE-276 CVE-2025-13905: CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation t
CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executable service binaries are modified in the installation folder by a local user with normal privilege upon service restart.
cvelistv5nvd
CVE-2025-0327HIGHCVSS 8.5vVersions 2020R2vVersions 2021 & 2023 (prior to v4.8.0.5715)2025-02-13
CVE-2025-0327 [HIGH] CWE-269 CVE-2025-0327: CWE-269: Improper Privilege Management vulnerability exists for two services (of which one managing
CWE-269: Improper Privilege Management vulnerability exists for two services (of which one managing audit
trail data and the other acting as server managing client request) that could cause a loss of Confidentiality,
Integrity and Availability of engineering workstation when an attacker with standard privilege modifies the
executable path of the windows
cvelistv5nvd
CVE-2023-27975HIGHCVSS 7.1vVersions prior to v20232024-02-14
CVE-2023-27975 [HIGH] CWE-522 CVE-2023-27975:
CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized
ac
CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized
access to the project file in EcoStruxure Control Expert when a local user tampers with the
memory of the engineering workstation.
cvelistv5nvd
CVE-2023-6408HIGHCVSS 8.1vVersions prior to v20232024-02-14
CVE-2023-6408 [HIGH] CWE-924 CVE-2023-6408:
CWE-924: Improper Enforcement of Message Integrity During Transmission in a
Communication Channel v
CWE-924: Improper Enforcement of Message Integrity During Transmission in a
Communication Channel vulnerability exists that could cause a denial of service and loss of
confidentiality, integrity of controllers when conducting a Man in the Middle attack.
cvelistv5nvd
CVE-2023-6409HIGHCVSS 7.7vVersions prior to v20232024-02-14
CVE-2023-6409 [HIGH] CWE-798 CVE-2023-6409:
CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause unauthorized
access to
CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause unauthorized
access to a project file protected with application password when opening the file with
EcoStruxure Control Expert.
cvelistv5nvd
CVE-2022-45789CRITICALCVSS 9.8vAll Versions2023-01-31
CVE-2022-45789 [CRITICAL] CWE-294 CVE-2022-45789: A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause execution o
A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. Affected Products: EcoStruxure Control Expert (All Versions), EcoStruxure Process Expert (All Versions), Modicon M340 CPU - part numbers BMXP34* (All V
cvelistv5nvd
CVE-2022-45788CRITICALCVSS 9.8vAll Versions2023-01-30
CVE-2022-45788 [CRITICAL] CWE-754 CVE-2022-45788: A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could caus
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause arbitrary code execution, denial of service and loss of confidentiality & integrity when a malicious project file is loaded onto the controller. Affected Products: EcoStruxure Control Expert (All Versions), EcoStruxure Process Expert (All Versions
cvelistv5nvd
CVE-2022-37300CRITICALCVSS 9.8≥ V, ≤ 20212022-09-12
CVE-2022-37300 [CRITICAL] CWE-640 CVE-2022-37300: A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could c
A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoSt
cvelistv5nvd
CVE-2021-22797HIGHCVSS 7.8≥ unspecified, < 20202022-04-13
CVE-2021-22797 [HIGH] CWE-22 CVE-2021-22797: A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerabilit
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file is loaded in the engineering software. Affected Product: EcoStruxure Contr
cvelistv5nvd
CVE-2022-24323MEDIUMCVSS 5.9vV2021 and prior2022-03-09
CVE-2022-24323 [MEDIUM] CWE-754 CVE-2022-24323: A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could caus
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause a disruption of communication between the Modicon controller and the engineering software, when an attacker is able to intercept and manipulate specific Modbus response data. Affected Product: EcoStruxure Process Expert (V2021 and prior), EcoStruxur
cvelistv5nvd