Insufficiently Protected Credentials in EcoStruxure Control Expert and Process Expert by Schneider Electric
CVE-2021-22778

7.1HIGH

Key Information:

Vendor: Schneider Electric
Status: Ecostruxure Control Expert (all Versions Prior To V15.0 Sp1, Including All Versions Of Unity Pro), Ecostruxure Process Expert (all Versions, Including All Versions Of Ecostruxure Hybrid Dcs), And Scadapack Remoteconnect For X70, All Versions
Vendor: CVE Published:; 14 July 2021

Summary

A vulnerability in EcoStruxure Control Expert and EcoStruxure Process Expert allows unauthorized users to access and potentially modify protected derived function blocks. This issue affects all versions of EcoStruxure Control Expert prior to V15.0 SP1, all versions of Unity Pro, as well as all iterations of EcoStruxure Process Expert, EcoStruxure Hybrid DCS, and SCADAPack RemoteConnect for x70. The flaw may lead to unauthorized users gaining access to sensitive project files, posing serious safety and operational risks.

Affected Version(s)

EcoStruxure Control Expert (all prior to V15.0 SP1, including all of Unity Pro), EcoStruxure Process Expert (all , including all of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions

References

http://download.schneider-electric.com/files?p_Doc_Ref=SE...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 14, 2021
Vulnerability Reserved
Jan 6, 2021