Code Execution Vulnerability in Schneider Electric Unity PRO
CVE-2016-8354

7HIGH

Key Information:

Vendor: Schneider Electric
Status: Schneider Electric Unity Pro Control Prior To V11.1
Vendor: CVE Published:; 13 February 2017

Summary

A security issue was identified in Schneider Electric Unity PRO prior to version 11.1 that enables specially crafted Unity project files to exploit the PLC Simulator. By manipulating the control flow of x86 instructions executed directly by the simulator, an attacker can potentially run arbitrary code on the system. This vulnerability underscores the importance of validating project files and ensuring that appropriate security measures are in place to mitigate the risk of unauthorized code execution.

Affected Version(s)

Schneider Electric Unity PRO Control prior to V11.1 Schneider Electric Unity PRO Control prior to V11.1

References

https://ics-cert.us-cert.gov/advisories/ICSA-16-306-03

x_refsource_MISC

http://www.securityfocus.com/bid/93830

vdb-entryx_refsource_BID

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 13, 2017
Vulnerability Reserved
Sep 28, 2016