VYPR

Ecostruxure Control Expert

by Schneider Electric

CVEs (14)

  • CVE-2022-37300CriSep 12, 2022
    risk 0.64cvss 9.8epss 0.01

    A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions…

  • CVE-2021-22779CriJul 14, 2021
    risk 0.59cvss 9.1epss 0.01

    Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoStruxure Process Expert (all versions, including all versions of EcoStruxure…

  • CVE-2023-27976HigApr 18, 2023
    risk 0.57cvss 8.8epss 0.01

    A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause remote code execution when a valid user visits a malicious link provided through the web endpoints. Affected Products: EcoStruxure Control Expert (V15.1 and above)

  • CVE-2023-6408HigFeb 14, 2024
    risk 0.53cvss 8.1epss 0.00

    CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause a denial of service and loss of confidentiality, integrity of controllers when conducting a Man in the Middle attack.

  • CVE-2022-45789HigJan 31, 2023
    risk 0.53cvss 8.1epss 0.01

    A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. Affected Products: EcoStruxure Control Expert (All Versions), EcoStruxure Process…

  • CVE-2021-22797HigApr 13, 2022
    risk 0.53cvss 7.8epss 0.26

    A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file…

  • CVE-2023-6409HigFeb 14, 2024
    risk 0.50cvss 7.7epss 0.00

    CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to a project file protected with application password when opening the file with EcoStruxure Control Expert.

  • CVE-2022-45788HigJan 30, 2023
    risk 0.49cvss 7.5epss 0.01

    A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause arbitrary code execution, denial of service and loss of confidentiality & integrity when a malicious project file is loaded onto the controller. Affected Products: EcoStruxure…

  • CVE-2023-27975HigFeb 14, 2024
    risk 0.46cvss 7.1epss 0.00

    CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized access to the project file in EcoStruxure Control Expert when a local user tampers with the memory of the engineering workstation.

  • CVE-2021-22780HigJul 14, 2021
    risk 0.46cvss 7.1epss 0.00

    Insufficiently Protected Credentials vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack…

  • CVE-2023-1548MedApr 18, 2023
    risk 0.36cvss 5.5epss 0.00

    A CWE-269: Improper Privilege Management vulnerability exists that could cause a local user to perform a denial of service through the console server service that is part of EcoStruxure Control Expert. Affected Products: EcoStruxure Control Expert (V15.1 and above)

  • CVE-2022-37302MedSep 13, 2022
    risk 0.36cvss 5.5epss 0.00

    A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a crash of the Control Expert software when an incorrect project file is opened. Affected Products: EcoStruxure Control Expert(V15.1 HF001 and prior).

  • CVE-2022-24323MedMar 9, 2022
    risk 0.35cvss 5.3epss 0.01

    A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause a disruption of communication between the Modicon controller and the engineering software, when an attacker is able to intercept and manipulate specific Modbus response data.…

  • CVE-2022-24322MedMar 9, 2022
    risk 0.34cvss 5.3epss 0.01

    A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a disruption of communication between the Modicon controller and the engineering software when an attacker is able to intercept and manipulate specific Modbus…