Improper Restriction of Excessive Authentication Attempts in Schneider Electric products - CVE-2020-28212
Published: November 19, 2020 / Updated: December 14, 2020
Vulnerability identifier: #VU48964
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-28212
CWE-ID: CWE-307
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Schneider Electric
Affected software:
PLC Simulator for EcoStruxure Control Expert
PLC Simulator for Unity Pro
EcoStruxure Control Expert
PLC Simulator for EcoStruxure Control Expert
PLC Simulator for Unity Pro
EcoStruxure Control Expert
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to the system.
The vulnerability exists due to the authentication mechanism has no brute-force prevention. A remote attacker can launch a brute-force authentication attack and cause unauthorized command execution.
How to mitigate CVE-2020-28212
Install updates from vendor's website.