Injection Vulnerability in EcoStruxure Control Expert, Unity Pro and Modicon Controllers
CVE-2020-7475

9.8CRITICAL

Key Information:

Vendor: Schneider Electric
Status: Ecostruxure Control Expert (all Versions Prior To 14.1 Hot Fix), Unity Pro (all Versions), Modicon M340 (all Versions Prior To V3.20), Modicon M580 (all Versions Prior To V3.10)
Vendor: CVE Published:; 23 March 2020

Summary

An injection vulnerability exists in EcoStruxure Control Expert, Unity Pro, and Modicon controllers that allows attackers to inject malicious code. This occurs due to improper neutralization of special elements in output processed by downstream components. The exposure affects all versions of EcoStruxure Control Expert prior to 14.1 Hot Fix, Unity Pro, and various versions of Modicon controllers, making them susceptible to exploitation if timely patches are not applied.

Affected Version(s)

EcoStruxure Control Expert (all prior to 14.1 Hot Fix), Unity Pro (all ), Modicon M340 (all prior to V3.20), Modicon M580 (all prior to V3.10) EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20), Modicon M580 (all versions prior to V3.10)

References

http://www.se.com/ww/en/download/document/SEVD-2020-080-01

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 23, 2020
Vulnerability Reserved
Jan 21, 2020