Missing Encryption in Modicon M221 by Schneider Electric
CVE-2020-7567

5.7MEDIUM

Key Information:

Vendor: Schneider Electric
Status: Modicon M221, All References, All Versions
Vendor: CVE Published:; 19 November 2020

Summary

A vulnerability exists in the Modicon M221 controllers manufactured by Schneider Electric that stems from missing encryption for sensitive data. By capturing network traffic between the EcoStruxure Machine - Basic software and the Modicon M221 controller, an attacker could potentially retrieve the password hash. This situation underscores the importance of proper encryption practices to safeguard sensitive information and prevent unauthorized access.

Affected Version(s)

Modicon M221, all references, all Modicon M221, all references, all versions

References

https://www.se.com/ww/en/download/document/SEVD-2020-315-05/

x_refsource_MISC

https://us-cert.cisa.gov/ics/advisories/icsa-20-343-04

x_refsource_MISC

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 19, 2020
Vulnerability Reserved
Jan 21, 2020