Unverified Password Change in Modicon PLCs and BMXNOR0200 by Schneider Electric
CVE-2018-7809

9.8CRITICAL

Key Information:

Vendor: Schneider Electric
Status: Embedded Web Servers In All Modicon M340, Premium, Quantum Plcs And Bmxnor0200
Vendor: CVE Published:; 30 November 2018

Summary

An unverified password change vulnerability exists in the embedded web servers of Modicon M340, Premium, Quantum PLCs, and BMXNOR0200. This weakness could allow an unauthenticated remote user to access critical password management functions, potentially leading to unauthorized control over system configurations. Organizations utilizing these products must take immediate action to mitigate risks associated with this vulnerability.

Affected Version(s)

Embedded Web Servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 Embedded Web Servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200

References

https://www.tenable.com/security/research/tra-2018-38

x_refsource_MISC

https://www.schneider-electric.com/en/download/document/S...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 30, 2018
Vulnerability Reserved
Mar 8, 2018