Authentication Bypass Vulnerability in EcoStruxure Controllers by Schneider Electric
CVE-2022-45789

8.1HIGH

Key Information:

Vendor: Schneider Electric
Status: Ecostruxure Control Expert; Ecostruxure Process Expert; Modicon M340 Cpu (part Numbers Bmxp34*); Modicon M580 Cpu (part Numbers Bmep* And Bmeh*)
Vendor: CVE Published:; 31 January 2023

Summary

An authentication bypass vulnerability allows unauthorized execution of Modbus functions on Schneider Electric controllers. By hijacking an authenticated Modbus session, attackers can exploit this flaw, enabling them to execute unauthorized commands across various EcoStruxure products, including EcoStruxure Control Expert and EcoStruxure Process Expert, as well as Modicon CPUs. This poses significant risks to industrial control systems and requires immediate attention to secure affected systems.

Affected Version(s)

EcoStruxure Control Expert All Versions

EcoStruxure Process Expert All Versions

Modicon M340 CPU (part numbers BMXP34*) All Versions

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 31, 2023
Vulnerability Reserved
Nov 22, 2022