Project Conversion Vulnerability in EcoStruxure Operator Terminal Expert and Pro-face BLUE
CVE-2022-41668

7HIGH

Key Information:

Vendor: Schneider Electric
Status: Ecostruxure Operator Terminal Expert; Pro-face Blue
Vendor: CVE Published:; 4 November 2022

Summary

An incorrect project conversion vulnerability exists in EcoStruxure Operator Terminal Expert and Pro-face BLUE, enabling adversaries with local user privileges to exploit this flaw. By loading a project file from a network share controlled by an attacker, an adversary could execute malicious code, significantly compromising system integrity and security.

Affected Version(s)

EcoStruxure Operator Terminal Expert V3.3

Pro-face BLUE V3.3

References

https://www.se.com/ww/en/download/document/SEVD-2022-284-01/

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 4, 2022
Vulnerability Reserved
Sep 27, 2022