Remote Code Execution Vulnerability in Application Due to Untrusted Data Deserialization
CVE-2024-2229

7.8HIGH

Key Information:

Vendor: Schneider Electric
Status: Ecostruxure Power Design - Ecodial
Vendor: CVE Published:; 18 March 2024

Summary

A vulnerability classified under CWE-502 exists within Schneider Electric's software product line, exposing users to the risk of remote code execution when a malicious project file is loaded by an authenticated user. This flaw allows attackers to craft special project files that, when opened, can execute arbitrary code within the software environment, potentially leading to unauthorized access and significant operational disruption. Proper mitigation measures and user awareness are critical to safeguard against this type of vulnerability.

Affected Version(s)

EcoStruxure Power Design - Ecodial All Versions NL

EcoStruxure Power Design - Ecodial All Versions INT

EcoStruxure Power Design - Ecodial All Versions FR

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 18, 2024
Vulnerability Reserved
Mar 6, 2024

Collectors

NVD DatabaseMitre Database