Insufficiently Protected Credentials in EcoStruxure Control Expert and Process Expert by Schneider Electric
CVE-2021-22780

7.1HIGH

Key Information:

Vendor: Schneider Electric
Status: Ecostruxure Control Expert (all Versions Prior To V15.0 Sp1, Including All Versions Of Unity Pro), Ecostruxure Process Expert (all Versions, Including All Versions Of Ecostruxure Hybrid Dcs), And Scadapack Remoteconnect For X70, All Versions
Vendor: CVE Published:; 14 July 2021

Summary

A vulnerability in Schneider Electric's EcoStruxure Control Expert and Process Expert allows unauthorized users to bypass password protection on project files. When these files are shared with untrusted sources, attackers can exploit insufficiently protected credentials to gain access, view, and modify sensitive information. This poses significant security risks, particularly in environments where data integrity and confidentiality are paramount.

Affected Version(s)

EcoStruxure Control Expert (all prior to V15.0 SP1, including all of Unity Pro), EcoStruxure Process Expert (all , including all of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions

References

http://download.schneider-electric.com/files?p_Doc_Ref=SE...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 14, 2021
Vulnerability Reserved
Jan 6, 2021