Incorrect Authorization in EcoStruxure Control Expert and Modicon Controllers by Schneider Electric
CVE-2019-6855

7.3HIGH

Key Information:

Vendor: Schneider Electric
Status: Ecostruxure Control Expert (all Versions Prior To 14.1 Hot Fix), Unity Pro (all Versions), Modicon M340 (all Versions Prior To V3.20) , And Modicon M580 (all Versions Prior To V3.10)
Vendor: CVE Published:; 6 January 2020

🔔 Create Schneider Electric Vulnerability Alert

What is CVE-2019-6855?

An incorrect authorization vulnerability exists within EcoStruxure Control Expert and its associated Modicon controllers. This flaw allows an attacker to bypass the authentication process between EcoStruxure Control Expert and both the Modicon M340 and M580 controllers, potentially enabling unauthorized access to sensitive system functions. All versions of EcoStruxure Control Expert prior to 14.1 Hot Fix, Unity Pro, and specific versions of Modicon M340 and M580 are impacted, highlighting the need for immediate updates and security assessments.

Affected Version(s)

EcoStruxure Control Expert (all prior to 14.1 Hot Fix), Unity Pro (all ), Modicon M340 (all prior to V3.20) , and Modicon M580 (all prior to V3.10) EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20) , and Modicon M580 (all versions prior to V3.10)

References

https://www.se.com/ww/en/download/document/SEVD-2019-344-02/

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 6, 2020
Vulnerability Reserved
Jan 25, 2019