Weak Password Recovery Mechanism in EcoStruxure Control Expert and Modicon CPUs
CVE-2022-37300

9.8CRITICAL

Key Information:

Vendor: Schneider Electric
Status: Ecostruxure Control Expert; Ecostruxure Process Expert; Modicon M340 Cpu; Modicon M580 Cpu
Vendor: CVE Published:; 12 September 2022

Summary

A vulnerability exists due to a weak password recovery mechanism that enables unauthorized access with read and write capabilities to the controller through Modbus communication. This can compromise the integrity and security of industrial control systems, affecting products like EcoStruxure Control Expert and various Modicon CPUs, posing significant risks for operational technology environments.

Affected Version(s)

EcoStruxure Control Expert SP1 <= 15.0

EcoStruxure Process Expert V <= 2021

Modicon M340 CPU BMXP34 <= 3.40

References

https://www.se.com/us/en/download/document/SEVD-2022-221-01/

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 12, 2022
Vulnerability Reserved
Aug 1, 2022