Code Injection Flaw in Schneider Electric HMI Software
CVE-2023-1049

7.8HIGH

Key Information:

Vendor: Schneider Electric
Status: EcoStruxure™ Operator Terminal Expert; Pro-face BLUE
Vendor: CVE Published:; 14 June 2023

Summary

A code injection vulnerability exists within Schneider Electric's HMI software that can allow an adversary to execute unauthorized commands. This vulnerability is triggered when an unsuspecting user loads a project file from their local filesystem, potentially opening the door to malicious code execution. Proper precautions and security measures should be implemented to mitigate the risks associated with this vulnerability.

Affected Version(s)

EcoStruxure™ Operator Terminal Expert 3.3 SP1 and prior

Pro-face BLUE 3.3 SP1 and prior

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 14, 2023
Vulnerability Reserved
Feb 27, 2023