Insufficiently Protected Credentials in EcoStruxure Control Expert and EcoStruxure Process Expert
CVE-2021-22781

5.5MEDIUM

Key Information:

Vendor: Schneider Electric
Status: Ecostruxure Control Expert (all Versions Prior To V15.0 Sp1, Including All Versions Of Unity Pro), Ecostruxure Process Expert (all Versions, Including All Versions Of Ecostruxure Hybrid Dcs), And Scadapack Remoteconnect For X70, All Versions
Vendor: CVE Published:; 14 July 2021

Summary

The vulnerability involves insufficient protection of SMTP credentials used for mailbox authentication within Schneider Electric's EcoStruxure Control Expert, EcoStruxure Process Expert, and related products. When an attacker gains access to a project file, they can potentially expose sensitive credentials, allowing unauthorized access to email communication channels. This incident underscores the importance of implementing robust security measures to safeguard sensitive information within automation software.

Affected Version(s)

EcoStruxure Control Expert (all prior to V15.0 SP1, including all of Unity Pro), EcoStruxure Process Expert (all , including all of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions

References

http://download.schneider-electric.com/files?p_Doc_Ref=SE...

x_refsource_MISC

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 14, 2021
Vulnerability Reserved
Jan 6, 2021