Authentication Bypass by Spoofing in Schneider Electric products - CVE-2021-22779

 

Authentication Bypass by Spoofing in Schneider Electric products - CVE-2021-22779

Published: July 14, 2021 / Updated: June 2, 2022


Vulnerability identifier: #VU54863
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-22779
CWE-ID: CWE-290
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Schneider Electric
Affected software:
EcoStruxure Process Expert
SCADAPack RemoteConnect for x70
SCADAPack 470
SCADAPack 474
SCADAPack 570
SCADAPack 574
SCADAPack 575 RTUs
EcoStruxure Control Expert
Modicon M580
Modicon M340

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the authentication bypass by spoofing issue. A remote attacker can gain unauthorized access in read and write mode to the controller.

How to mitigate CVE-2021-22779

Install update from vendor's website.

Sources