Path Traversal Vulnerability in EcoStruxure Operator Terminal Expert and Pro-face BLUE by Schneider Electric
CVE-2022-41667

7HIGH

Key Information:

Vendor: Schneider Electric
Status: Ecostruxure Operator Terminal Expert; Pro-face Blue
Vendor: CVE Published:; 4 November 2022

Summary

A vulnerability exists that allows adversaries with local user privileges to exploit improper pathname limitations, enabling the loading of malicious DLL files. This can lead to unauthorized execution of harmful code within affected versions of EcoStruxure Operator Terminal Expert and Pro-face BLUE, compromising the integrity and security of the systems involved. Users should ensure their software is updated to mitigate this risk.

Affected Version(s)

EcoStruxure Operator Terminal Expert V3.3

Pro-face BLUE V3.3

References

https://www.se.com/ww/en/download/document/SEVD-2022-284-01/

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 4, 2022
Vulnerability Reserved
Sep 27, 2022