Improper Input Validation in EcoStruxure™ Operator Terminal Expert by Schneider Electric
CVE-2020-28221

9.8CRITICAL

Key Information:

Vendor: Schneider Electric
Status: Ecostruxure™ Operator Terminal Expert 3.1 Service Pack 1a And Prior Running On Harmony Hmis Hmist6 Series, Hmig3u In Hmigtu Series, Hmisto Series And Pro-face Blue 3.1 Service Pack 1a And Prior Running On Pro-face Hmis: St6000 Series, Sp-5b41 In Sp5000 Series, Gp4100 Series
Vendor: CVE Published:; 26 January 2021

Summary

An improper input validation vulnerability exists in EcoStruxure™ Operator Terminal Expert and Pro-face BLUE. This flaw could allow an attacker to execute arbitrary code on the HMI when the Ethernet Download feature is enabled. Users are advised to disable this feature and implement security measures to protect their systems.

Affected Version(s)

EcoStruxure™ Operator Terminal Expert 3.1 Service Pack 1A and prior running on Harmony HMIs HMIST6 Series, HMIG3U in HMIGTU Series, HMISTO Series and Pro-face BLUE 3.1 Service Pack 1A and prior running on Pro-face HMIs: ST6000 Series, SP-5B41 in SP5000 Series, GP4100 Series EcoStruxure™ Operator Terminal Expert 3.1 Service Pack 1A and prior running on Harmony HMIs HMIST6 Series, HMIG3U in HMIGTU Series, HMISTO Series and Pro-face BLUE 3.1 Service Pack 1A and prior running on Pro-face HMIs: ST6000 Series, SP-5B41 in SP5000 Series, GP4100 Series

References

https://www.se.com/ww/en/download/document/SEVD-2021-012-01/

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 26, 2021
Vulnerability Reserved
Nov 5, 2020