Vulnerability identifier: #VU48745
Vulnerability risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-269
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
EcoStruxure Operator Terminal Expert
Client/Desktop applications /
Other client software
Vendor: Schneider Electric
Description
The vulnerability allows a local attacker to escalate privileges.
The vulnerability exists due to improper privilege management. A local attacker can escalate privileges when interacting directly with a driver installed by the runtime software.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
EcoStruxure Operator Terminal Expert: 3.1 SP1A
External links
http://www.se.com/ww/en/download/document/SEVD-2020-315-02/
http://us-cert.cisa.gov/ics/advisories/icsa-20-336-01
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.