Insufficient verification of data authenticity in Schneider Electric products - CVE-2020-7487
Published: April 28, 2020
Vulnerability identifier: #VU27383
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-7487
CWE-ID: CWE-345
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Schneider Electric
Affected software:
EcoStruxure Machine Expert
SoMachine
SoMachine Motion
Modicon M218
Modicon M241
Modicon M251
Modicon M258
EcoStruxure Machine Expert
SoMachine
SoMachine Motion
Modicon M218
Modicon M241
Modicon M251
Modicon M258
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient verification of data authenticity issue. A remote attacker on the local network can execute arbitrary code on the Modicon controllers.
How to mitigate CVE-2020-7487
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.