Improper Authorization in Schneider Electric products - CVE-2020-28211
Published: November 19, 2020 / Updated: December 14, 2020
Vulnerability identifier: #VU48963
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-28211
CWE-ID: CWE-285
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Schneider Electric
Affected software:
PLC Simulator for EcoStruxure Control Expert
PLC Simulator for Unity Pro
EcoStruxure Control Expert
PLC Simulator for EcoStruxure Control Expert
PLC Simulator for Unity Pro
EcoStruxure Control Expert
Detailed vulnerability description
The vulnerability allows a local user to bypass authorization checks.
The vulnerability exists due to improper authorization check. A local administrator can bypass authentication when overwriting memory using a debugger.
How to mitigate CVE-2020-28211
Install updates from vendor's website.