Unrestricted File Upload Vulnerability in Schneider Electric's Data Collector
CVE-2021-22803

9.8CRITICAL

Key Information:

Vendor: Schneider Electric
Status: Interactive Graphical Scada System Data Collector (dc.exe) (v15.0.0.21243 And Prior)
Vendor: CVE Published:; 11 February 2022

Summary

A vulnerability exists in Schneider Electric's Interactive Graphical SCADA System Data Collector that allows an attacker to upload arbitrary files, potentially leading to remote code execution. This occurs when crafted messages are sent over the network, enabling the manipulation of file permissions in vulnerable directories associated with the DC module. Users are encouraged to review their systems and implement appropriate security measures to mitigate this risk.

Affected Version(s)

Interactive Graphical SCADA System Data Collector (dc.exe) (V15.0.0.21243 and prior) Interactive Graphical SCADA System Data Collector (dc.exe) (V15.0.0.21243 and prior)

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 11, 2022
Vulnerability Reserved
Jan 6, 2021