Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-7475

A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), reflective DLL, vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20), Modicon M580 (all versions prior to V3.10), which, if exploited, could allow attackers to transfer malicious code to the controller.

Published

2020-03-23T19:15:12.413

Last Modified

2024-11-21T05:37:13.210

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-74
Type: Primary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	schneider-electric	ecostruxure_control_expert	≤ 14.0	Yes
Application	schneider-electric	unity_pro	*	Yes
Operating System	schneider-electric	modicon_m340_firmware	< 3.20	Yes
Hardware	schneider-electric	modicon_m340	-	No
Operating System	schneider-electric	modicon_m580_firmware	< 3.10	Yes
Hardware	schneider-electric	modicon_m580	-	No

References

http://www.se.com/ww/en/download/document/SEVD-2020-080-01 Vendor Advisory ([email protected])
http://www.se.com/ww/en/download/document/SEVD-2020-080-01 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)