Argument Injection in EcoStruxure Operator Terminal Expert

#VU27966 Argument Injection in EcoStruxure Operator Terminal Expert

Published: 2020-05-18

Vulnerability identifier: #VU27966

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7496

CWE-ID: CWE-88

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
EcoStruxure Operator Terminal Expert
Client/Desktop applications / Other client software

Vendor: Schneider Electric

Description

The vulnerability allows a remote attacker to gain write access to the system.

The vulnerability exists due to the argument injection or modification issue. A remote attacker can trick a victim to open a specially crafted project file and gain unauthorized write access to the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

EcoStruxure Operator Terminal Expert: 3.1 SP1

External links
http://www.se.com/ww/en/download/document/SEVD-2020-133-04/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Schneider Electric EcoStruxure Operator Terminal Expert (Vijeo XD)