Third-Party Component Vulnerability in Schneider Electric HMI Products
CVE-2024-11999

8.8HIGH

Key Information:

Vendor: Schneider Electric
Status: Harmony (formerly Magelis) Hmist6, Hmistm6, Hmig3u, Hmig3x, Hmisto7 Series With Ecostruxure Operator Terminal Expert Runtime; Pfxst6000, Pfxstm6000, Pfxsp5000, Pfxgp4100 Series With Pro-face Blue Runtime
Vendor: CVE Published:; 17 December 2024

Summary

CVE-2024-11999 is a critical vulnerability categorized as CWE-1104, related to the use of unmaintained third-party components in Schneider Electric's HMI products. This issue allows authenticated users to execute malicious code, potentially granting them complete control over the device. If successfully exploited, attackers could manipulate device functions, leading to unauthorized access and severe operational risks. Organizations using affected versions must take preventive action to secure their HMI systems against this risk. Comprehensive patching and adopting stringent security measures are essential to mitigate potential outcomes.

Affected Version(s)

Harmony (Formerly Magelis) HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7 series with EcoStruxure Operator Terminal Expert runtime All versions

PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100 series with Pro-face BLUE runtime All versions

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 17, 2024
Vulnerability Reserved
Nov 29, 2024

Collectors

NVD DatabaseMitre Database