Path Traversal Vulnerability in EcoStruxure Control Expert and Related Products from Schneider Electric
CVE-2021-22797

7.8HIGH

Key Information:

Vendor: Schneider Electric
Status: Ecostruxure Control Expert; Ecostruxure Process Expert; Scadapack Remoteconnect For X70
Vendor: CVE Published:; 13 April 2022

Summary

A path traversal vulnerability exists in Schneider Electric's EcoStruxure Control Expert and other related products. This flaw allows an attacker to exploit the software by deploying malicious scripts to unauthorized locations on the engineering workstation. The issue arises when a malicious project file is loaded, potentially leading to code execution within the system, compromising its integrity and security. Affected versions include EcoStruxure Control Expert up to V15.0 SP1, EcoStruxure Process Expert up to 2020, and all versions of SCADAPack RemoteConnect for x70.

Affected Version(s)

EcoStruxure Control Expert < unspecified

EcoStruxure Process Expert < 2020

SCADAPack RemoteConnect for x70 All versions

References

https://www.se.com/ww/en/download/document/SEVD-2021-257-01/

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 13, 2022
Vulnerability Reserved
Jan 6, 2021