#VU54864 Insufficiently protected credentials in Schneider Electric products - CVE-2021-22780
Published: July 14, 2021
Vulnerability identifier: #VU54864
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-22780
CWE-ID: CWE-522
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
EcoStruxure Process Expert
SCADAPack RemoteConnect for x70
SCADAPack 470
SCADAPack 474
SCADAPack 570
SCADAPack 574
SCADAPack 575 RTUs
EcoStruxure Control Expert
EcoStruxure Process Expert
SCADAPack RemoteConnect for x70
SCADAPack 470
SCADAPack 474
SCADAPack 570
SCADAPack 574
SCADAPack 575 RTUs
EcoStruxure Control Expert
Software vendor:
Schneider Electric
Schneider Electric
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficiently protected credentials. A remote authenticated attacker can gain unauthorized access to a project file protected by a password when this file is shared with untrusted sources and view and modify a project file.
Remediation
Install updates from vendor's website.