Improper Pathname Limitation in Schneider Electric Interactive Graphical SCADA System
CVE-2022-24311

9.8CRITICAL

Key Information:

Vendor: Schneider Electric
Status: Interactive Graphical Scada System Data Server (v15.0.0.22020 And Prior)
Vendor: CVE Published:; 9 February 2022

Summary

A vulnerability exists in the Interactive Graphical SCADA System Data Server due to improper limitation of a pathname to a restricted directory. This issue allows an attacker to potentially modify existing files by inserting data at the beginning or creating new files through specially crafted messages. If exploited, this flaw could lead to remote code execution, posing significant risks to the integrity and security of the system.

Affected Version(s)

Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior)

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

x_refsource_MISC

https://www.zerodayinitiative.com/advisories/ZDI-22-320/

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 9, 2022
Vulnerability Reserved
Feb 2, 2022