Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-22810

Summary
Assigner-schneider
Assigner Org ID-076d1eb6-cfab-4401-b34d-6dfc2a413bdb
Published At-09 Feb, 2022 | 22:05
Updated At-03 Aug, 2024 | 03:21
Rejected At-
Credits

A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:schneider
Assigner Org ID:076d1eb6-cfab-4401-b34d-6dfc2a413bdb
Published At:09 Feb, 2022 | 22:05
Updated At:03 Aug, 2024 | 03:21
Rejected At:
▼CVE Numbering Authority (CNA)

A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)

Affected Products
Vendor
n/a
Product
spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)
Versions
Affected
  • spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)
Problem Types
TypeCWE IDDescription
CWECWE-307CWE-307: Improper Restriction of Excessive Authentication Attempts
Type: CWE
CWE ID: CWE-307
Description: CWE-307: Improper Restriction of Excessive Authentication Attempts
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04
x_refsource_MISC
Hyperlink: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04
x_refsource_MISC
x_transferred
Hyperlink: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cybersecurity@se.com
Published At:09 Feb, 2022 | 23:15
Updated At:16 Feb, 2022 | 18:23

A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CPE Matches

Schneider Electric SE
schneider-electric
>>spacelynk_firmware>>Versions up to 2.6.2(inclusive)
cpe:2.3:o:schneider-electric:spacelynk_firmware:*:*:*:*:*:*:*:*
Schneider Electric SE
schneider-electric
>>spacelynk>>-
cpe:2.3:h:schneider-electric:spacelynk:-:*:*:*:*:*:*:*
Schneider Electric SE
schneider-electric
>>wiser_for_knx_firmware>>Versions up to 2.6.2(inclusive)
cpe:2.3:o:schneider-electric:wiser_for_knx_firmware:*:*:*:*:*:*:*:*
Schneider Electric SE
schneider-electric
>>wiser_for_knx>>-
cpe:2.3:h:schneider-electric:wiser_for_knx:-:*:*:*:*:*:*:*
Schneider Electric SE
schneider-electric
>>fellerlynk_firmware>>Versions up to 2.6.2(inclusive)
cpe:2.3:o:schneider-electric:fellerlynk_firmware:*:*:*:*:*:*:*:*
Schneider Electric SE
schneider-electric
>>fellerlynk>>-
cpe:2.3:h:schneider-electric:fellerlynk:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-307Primarycybersecurity@se.com
CWE ID: CWE-307
Type: Primary
Source: cybersecurity@se.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04cybersecurity@se.com
Patch
Vendor Advisory
Hyperlink: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04
Source: cybersecurity@se.com
Resource:
Patch
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

359Records found

CVE-2022-30235
Matching Score-10
Assigner-Schneider Electric
ShareView Details
Matching Score-10
Assigner-Schneider Electric
CVSS Score-8.6||HIGH
EPSS-0.34% / 55.82%
||
7 Day CHG~0.00%
Published-02 Jun, 2022 | 22:45
Updated-16 Sep, 2024 | 17:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow unauthorized access when an attacker uses brute force. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)

Action-Not Available
Vendor-
Product-wiser_smart_eer21000wiser_smart_eer21001_firmwarewiser_smart_eer21000_firmwarewiser_smart_eer21001Wiser Smart
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-28212
Matching Score-10
Assigner-Schneider Electric
ShareView Details
Matching Score-10
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-1.40% / 79.63%
||
7 Day CHG~0.00%
Published-19 Nov, 2020 | 21:03
Updated-04 Aug, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when a brute force attack is done over Modbus.

Action-Not Available
Vendor-n/a
Product-ecostruxure_control_expertPLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions)
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-22818
Matching Score-10
Assigner-Schneider Electric
ShareView Details
Matching Score-10
Assigner-Schneider Electric
CVSS Score-7.5||HIGH
EPSS-0.25% / 48.25%
||
7 Day CHG~0.00%
Published-28 Jan, 2022 | 19:09
Updated-03 Aug, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to gain unauthorized access to the charging station web interface by performing brute force attacks. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)

Action-Not Available
Vendor-n/a
Product-evlink_city_evc1s22p4evlink_parking_evf2evlink_parking_evp2pe_firmwareevlink_parking_evf2_firmwareevlink_parking_evw2evlink_parking_evp2peevlink_city_evc1s22p4_firmwareevlink_city_evc1s7p4_firmwareevlink_smart_wallbox_evb1a_firmwareevlink_smart_wallbox_evb1aevlink_parking_evw2_firmwareevlink_city_evc1s7p4n/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-22737
Matching Score-10
Assigner-Schneider Electric
ShareView Details
Matching Score-10
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-0.30% / 53.11%
||
7 Day CHG~0.00%
Published-26 May, 2021 | 00:00
Updated-03 Aug, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficiently Protected Credentials vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior that could cause unauthorized access of when credentials are discovered after a brute force attack.

Action-Not Available
Vendor-n/a
Product-homelynkspacelynk_firmwarehomelynk_firmwarespacelynkhomeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-7508
Matching Score-10
Assigner-Schneider Electric
ShareView Details
Matching Score-10
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-0.26% / 48.83%
||
7 Day CHG~0.00%
Published-16 Jun, 2020 | 19:44
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to gain full access by brute force.

Action-Not Available
Vendor-n/a
Product-easergy_t300easergy_t300_firmwareEasergy T300 (Firmware version 1.5.2 and older)
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-7525
Matching Score-10
Assigner-Schneider Electric
ShareView Details
Matching Score-10
Assigner-Schneider Electric
CVSS Score-7.5||HIGH
EPSS-0.99% / 75.97%
||
7 Day CHG~0.00%
Published-31 Aug, 2020 | 16:12
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Restriction of Excessive Authentication Attempts vulnerability exists in all hardware versions of spaceLYnk and Wiser for KNX (formerly homeLYnk) which could allow an attacker to guess a password when brute force is used.

Action-Not Available
Vendor-n/a
Product-wiser_for_knx_firmwarespacelynk_firmwarewiser_for_knxspacelynkAll hardware versions of spaceLYnk and Wiser for KNX (formerly homeLYnk)
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2022-32515
Matching Score-10
Assigner-Schneider Electric
ShareView Details
Matching Score-10
Assigner-Schneider Electric
CVSS Score-8.6||HIGH
EPSS-0.16% / 36.92%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause brute force attacks to take over the admin account when the product does not implement a rate limit mechanism on the admin authentication form. Affected Products: Conext™ ComBox (All Versions)

Action-Not Available
Vendor-Schneider Electric SE
Product-conext_comboxconext_combox_firmwareConext™ ComBox
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2022-46680
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-8.8||HIGH
EPSS-0.12% / 31.11%
||
7 Day CHG~0.00%
Published-22 May, 2023 | 13:25
Updated-21 Jan, 2025 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-319: Cleartext transmission of sensitive information vulnerability exists that could cause disclosure of sensitive information, denial of service, or modification of data if an attacker is able to intercept network traffic.

Action-Not Available
Vendor-Schneider Electric SE
Product-powerlogic_ion8650powerlogic_ion9000_firmwarepowerlogic_ion9000powerlogic_pm8000powerlogic_pm8000_firmwarepowerlogic_ion7400_firmwarepowerlogic_ion8800_firmwarepowerlogic_ion8800powerlogic_ion7400powerlogic_ion8650_firmwarePowerLogic ION9000PowerLogic ION8800Legacy ION products PowerLogic PM8000PowerLogic ION7400PowerLogic ION8650
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2022-45788
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-7.5||HIGH
EPSS-0.29% / 52.23%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause arbitrary code execution, denial of service and loss of confidentiality & integrity when a malicious project file is loaded onto the controller. Affected Products: EcoStruxure Control Expert (All Versions), EcoStruxure Process Expert (All Versions), Modicon M340 CPU - part numbers BMXP34* (All Versions), Modicon M580 CPU - part numbers BMEP* and BMEH* (All Versions), Modicon M580 CPU Safety - part numbers BMEP58*S and BMEH58*S (All Versions), Modicon Momentum Unity M1E Processor - 171CBU* (All Versions), Modicon MC80 - BMKC80 (All Versions), Legacy Modicon Quantum - 140CPU65* and Premium CPUs - TSXP57* (All Versions)

Action-Not Available
Vendor-Schneider Electric SE
Product-modicon_m340_bmxp342030_firmwaremodicon_premium_tsxp57_454mmodicon_m340_bmxp3420302h_firmwaremodicon_premium_tsxp57_2834m_firmwaremodicon_premium_tsxp57_6634m_firmwaremodicon_m340_bmxp342020h_firmwaremodicon_m580_bmep583040_firmwaremodicon_m580_bmeh582040smodicon_quantum_140cpu65160_firmwaremodicon_m340_bmxp3420302_firmwaremodicon_m340_bmxp342010modicon_m580_bmeh584040smodicon_m580_bmep582020h_firmwaremodicon_m580_bmep584040s_firmwaremodicon_m580_bmep584040modicon_m340_bmxp342010_firmwaremodicon_m340_bmxp342020_firmwaremodicon_mc80_bmkc8020310_firmwaremodicon_m340_bmxp3420102_firmwaremodicon_m580_bmep585040_firmwaremodicon_m580_bmep582040h_firmwaremodicon_premium_tsxp57_454m_firmwaremodicon_quantum_140cpu65150modicon_m580_bmep584040_firmwaremodicon_momentum_171cbu78090_firmwaremodicon_m580_bmep584040smodicon_m580_bmeh582040cmodicon_m580_bmep583040ecostruxure_control_expertmodicon_m580_bmep582040modicon_m580_bmep585040modicon_premium_tsxp57_4634mmodicon_m580_bmep584020_firmwaremodicon_m580_bmeh584040modicon_m580_bmep585040c_firmwaremodicon_premium_tsxp57_2634m_firmwaremodicon_m580_bmeh584040_firmwaremodicon_momentum_171cbu78090modicon_premium_tsxp57_5634mmodicon_m580_bmep581020h_firmwaremodicon_m580_bmep584020modicon_mc80_bmkc8020301modicon_m580_bmeh584040s_firmwaremodicon_momentum_171cbu98090_firmwaremodicon_m580_bmep582040smodicon_premium_tsxp57_1634m_firmwaremodicon_m340_bmxp342020modicon_m340_bmxp342030hmodicon_m340_bmxp342020hmodicon_m580_bmeh586040cmodicon_m580_bmep582020_firmwaremodicon_momentum_171cbu98091modicon_m340_bmxp342000_firmwaremodicon_m580_bmep581020hmodicon_m580_bmeh586040_firmwaremodicon_m580_bmeh584040cmodicon_m340_bmxp342030modicon_m580_bmeh586040c_firmwaremodicon_m580_bmep586040_firmwaremodicon_m580_bmeh582040_firmwaremodicon_quantum_140cpu65150c_firmwaremodicon_m580_bmep582040_firmwaremodicon_m580_bmeh582040modicon_quantum_140cpu65160c_firmwaremodicon_mc80_bmkc8030311modicon_quantum_140cpu65160modicon_momentum_171cbu98090modicon_premium_tsxp57_1634mmodicon_m580_bmeh582040c_firmwaremodicon_m580_bmep583020modicon_m580_bmeh586040s_firmwaremodicon_m580_bmeh586040smodicon_m580_bmep586040modicon_premium_tsxp57_2634mmodicon_m340_bmxp342000modicon_m580_bmeh586040modicon_m580_bmep583020_firmwaremodicon_premium_tsxp57_5634m_firmwaremodicon_premium_tsxp57_554m_firmwaremodicon_m340_bmxp341000modicon_mc80_bmkc8020310modicon_m580_bmep582020modicon_quantum_140cpu65160cmodicon_m580_bmeh584040c_firmwaremodicon_quantum_140cpu65150_firmwaremodicon_momentum_171cbu98091_firmwaremodicon_quantum_140cpu65150cmodicon_m340_bmxp3420302hmodicon_m580_bmep585040cmodicon_mc80_bmkc8030311_firmwaremodicon_m580_bmep582040hmodicon_m340_bmxp3420302modicon_premium_tsxp57_554mmodicon_m580_bmep582040s_firmwaremodicon_premium_tsxp57_2834mmodicon_m340_bmxp341000_firmwaremodicon_m580_bmep581020_firmwaremodicon_mc80_bmkc8020301_firmwareecostruxure_process_expertmodicon_m580_bmep581020modicon_m580_bmep586040cmodicon_premium_tsxp57_4634m_firmwaremodicon_m340_bmxp342030h_firmwaremodicon_m580_bmep582020hmodicon_m580_bmep586040c_firmwaremodicon_m340_bmxp3420102modicon_m580_bmeh582040s_firmwaremodicon_premium_tsxp57_6634mModicon MC80 (BMKC80)Legacy Modicon Quantum (140CPU65*) and Premium CPUs (TSXP57*)Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S)Modicon M340 CPU (part numbers BMXP34*)Modicon Momentum Unity M1E Processor (171CBU*)EcoStruxure Control Expert Modicon M580 CPU (part numbers BMEP* and BMEH*) EcoStruxure Process Expert
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2022-42971
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-3.22% / 86.55%
||
7 Day CHG~0.00%
Published-01 Feb, 2023 | 00:00
Updated-05 Feb, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261)

Action-Not Available
Vendor-Microsoft CorporationSchneider Electric SE
Product-windows_server_2016apc_easy_ups_online_monitoring_softwareeasy_ups_online_monitoring_softwarewindows_7windows_11windows_10windows_server_2022windows_server_2019Schneider Electric Easy UPS Online Monitoring SoftwareAPC Easy UPS Online Monitoring Software
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2022-42970
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-0.23% / 45.82%
||
7 Day CHG~0.00%
Published-01 Feb, 2023 | 00:00
Updated-05 Feb, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261)

Action-Not Available
Vendor-Microsoft CorporationSchneider Electric SE
Product-windows_server_2016apc_easy_ups_online_monitoring_softwareeasy_ups_online_monitoring_softwarewindows_7windows_11windows_10windows_server_2022windows_server_2019Schneider Electric Easy UPS Online Monitoring SoftwareAPC Easy UPS Online Monitoring Software
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2020-28216
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-7.5||HIGH
EPSS-0.08% / 24.51%
||
7 Day CHG~0.00%
Published-11 Dec, 2020 | 00:51
Updated-04 Aug, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to read network traffic over HTTP protocol.

Action-Not Available
Vendor-n/a
Product-easergy_t300easergy_t300_firmwareEasergy T300 (firmware 2.7 and older)
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2017-6032
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-5.3||MEDIUM
EPSS-0.46% / 63.07%
||
7 Day CHG~0.00%
Published-30 Jun, 2017 | 02:35
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Violation of Secure Design Principles issue was discovered in Schneider Electric Modicon Modbus Protocol. The Modicon Modbus protocol has a session-related weakness making it susceptible to brute-force attacks.

Action-Not Available
Vendor-n/aSchneider Electric SE
Product-modbus_firmwaremodbusSchneider Electric Modicon Modbus Protocol
CWE ID-CWE-358
Improperly Implemented Security Check for Standard
CWE ID-CWE-657
Violation of Secure Design Principles
CVE-2022-37300
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-0.29% / 51.86%
||
7 Day CHG~0.00%
Published-12 Sep, 2022 | 17:40
Updated-03 Aug, 2024 | 10:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34*) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*) (V3.20 and prior).

Action-Not Available
Vendor-
Product-modicon_m340_bmxp342030_firmwaremodicon_m340_bmxp3420302h_firmwaremodicon_m340_bmxp342020h_firmwaremodicon_m580_bmep583040_firmwaremodicon_m580_bmeh582040smodicon_m340_bmxp3420302_firmwaremodicon_m340_bmxp342010modicon_m580_bmeh584040smodicon_m580_bmep582020h_firmwaremodicon_m580_bmep584040s_firmwaremodicon_m580_bmep584040modicon_m340_bmxp342010_firmwaremodicon_m340_bmxp342020_firmwaremodicon_m340_bmxp3420102_firmwaremodicon_m580_bmep585040_firmwaremodicon_m580_bmep582040h_firmwaremodicon_m580_bmep584040_firmwaremodicon_m580_bmep584040smodicon_m580_bmeh582040cmodicon_m580_bmep583040ecostruxure_control_expertmodicon_m580_bmep582040modicon_m580_bmep584020_firmwaremodicon_m580_bmeh584040modicon_m580_bmep585040modicon_m580_bmep585040c_firmwaremodicon_m580_bmeh584040_firmwaremodicon_m580_bmep581020h_firmwaremodicon_m580_bmep584020modicon_m580_bmeh584040s_firmwaremodicon_m340_bmxp342020modicon_m340_bmxp342030hmodicon_m340_bmxp342020hmodicon_m580_bmeh586040cmodicon_m580_bmep582020_firmwaremodicon_m340_bmxp342000_firmwaremodicon_m580_bmeh586040_firmwaremodicon_m580_bmep581020hmodicon_m580_bmeh584040cmodicon_m340_bmxp342030modicon_m580_bmeh586040c_firmwaremodicon_m580_bmep586040_firmwaremodicon_m580_bmeh582040_firmwaremodicon_m580_bmep582040_firmwaremodicon_m580_bmeh582040modicon_m580_bmeh582040c_firmwaremodicon_m580_bmep583020modicon_m580_bmeh586040s_firmwaremodicon_m580_bmeh586040smodicon_m580_bmep586040modicon_m340_bmxp342000modicon_m580_bmeh586040modicon_m580_bmep582020modicon_m580_bmep583020_firmwaremodicon_m340_bmxp341000modicon_m580_bmeh584040c_firmwaremodicon_m340_bmxp3420302hmodicon_m580_bmep585040cmodicon_m580_bmep582040hmodicon_m340_bmxp3420302modicon_m340_bmxp341000_firmwaremodicon_m580_bmep581020_firmwareecostruxure_process_expertmodicon_m580_bmep581020modicon_m580_bmep586040cmodicon_m340_bmxp342030h_firmwaremodicon_m580_bmep582020hmodicon_m580_bmep586040c_firmwaremodicon_m340_bmxp3420102modicon_m580_bmeh582040s_firmwareEcoStruxure Control ExpertEcoStruxure Process ExpertModicon M340 CPUModicon M580 CPU
CWE ID-CWE-640
Weak Password Recovery Mechanism for Forgotten Password
CVE-2022-34756
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-8.8||HIGH
EPSS-1.87% / 82.34%
||
7 Day CHG~0.00%
Published-13 Jul, 2022 | 21:10
Updated-17 Sep, 2024 | 04:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could result in remote code execution or the crash of HTTPs stack which is used for the device Web HMI. Affected Products: Easergy P5 (V01.401.102 and prior)

Action-Not Available
Vendor-
Product-easergy_p5_firmwareeasergy_p5Easergy P5
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2022-32513
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-0.18% / 40.21%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-521: Weak Password Requirements vulnerability exists that could allow an attacker to gain control of the device when the attacker brute forces the password. Affected Products: C-Bus Network Automation Controller - LSS5500NAC (Versions prior to V1.10.0), Wiser for C-Bus Automation Controller - LSS5500SHAC (Versions prior to V1.10.0), Clipsal C-Bus Network Automation Controller - 5500NAC (Versions prior to V1.10.0), Clipsal Wiser for C-Bus Automation Controller - 5500SHAC (Versions prior to V1.10.0), SpaceLogic C-Bus Network Automation Controller - 5500NAC2 (Versions prior to V1.10.0), SpaceLogic C-Bus Application Controller - 5500AC2 (Versions prior to V1.10.0)

Action-Not Available
Vendor-Schneider Electric SE
Product-5500ac2_firmware5500shaclss5500nac5500ac2lss5500shaclss5500nac_firmwarelss5500shac_firmware5500nac_firmware5500nac5500nac25500shac_firmware5500nac2_firmwareClipsal C-Bus Network Automation Controller, 5500NACSpaceLogic C-Bus Network Automation Controller, 5500NAC2Clipsal Wiser for C-Bus Automation Controller, 5500SHACWiser for C-Bus Automation Controller, LSS5500SHACSpaceLogic C-Bus Application Controller, 5500AC2C-Bus Network Automation Controller, LSS5500NAC
CWE ID-CWE-521
Weak Password Requirements
CVE-2022-32514
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-0.20% / 41.73%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-287: Improper Authentication vulnerability exists that could allow an attacker to gain control of the device when logging into a web page. Affected Products: C-Bus Network Automation Controller - LSS5500NAC (Versions prior to V1.10.0), Wiser for C-Bus Automation Controller - LSS5500SHAC (Versions prior to V1.10.0), Clipsal C-Bus Network Automation Controller - 5500NAC (Versions prior to V1.10.0), Clipsal Wiser for C-Bus Automation Controller - 5500SHAC (Versions prior to V1.10.0), SpaceLogic C-Bus Network Automation Controller - 5500NAC2 (Versions prior to V1.10.0), SpaceLogic C-Bus Application Controller - 5500AC2 (Versions prior to V1.10.0)

Action-Not Available
Vendor-Schneider Electric SE
Product-5500ac2_firmware5500shaclss5500nac5500ac2lss5500shaclss5500nac_firmwarelss5500shac_firmware5500nac_firmware5500nac5500nac25500shac_firmware5500nac2_firmwareClipsal C-Bus Network Automation Controller, 5500NACSpaceLogic C-Bus Network Automation Controller, 5500NAC2Clipsal Wiser for C-Bus Automation Controller, 5500SHACWiser for C-Bus Automation Controller, LSS5500SHACSpaceLogic C-Bus Application Controller, 5500AC2C-Bus Network Automation Controller, LSS5500NAC
CWE ID-CWE-287
Improper Authentication
CVE-2022-32523
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-4.42% / 88.59%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted online data request messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

Action-Not Available
Vendor-Schneider Electric SE
Product-interactive_graphical_scada_systemIGSS Data Server (IGSSdataServer.exe)
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2022-32522
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-3.78% / 87.60%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted mathematically reduced data request messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

Action-Not Available
Vendor-Schneider Electric SE
Product-interactive_graphical_scada_systemIGSS Data Server (IGSSdataServer.exe)
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2022-32526
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-3.61% / 87.32%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted setting value messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

Action-Not Available
Vendor-Schneider Electric SE
Product-interactive_graphical_scada_systemIGSS Data Server (IGSSdataServer.exe)
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2022-32519
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-8||HIGH
EPSS-0.19% / 41.33%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-257: Storing Passwords in a Recoverable Format vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. Affected Products: Data Center Expert (Versions prior to V7.9.0)

Action-Not Available
Vendor-Schneider Electric SE
Product-data_center_expertData Center Expert
CWE ID-CWE-257
Storing Passwords in a Recoverable Format
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-32524
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-4.42% / 88.59%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted time reduced data messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

Action-Not Available
Vendor-Schneider Electric SE
Product-interactive_graphical_scada_systemIGSS Data Server (IGSSdataServer.exe)
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2022-32529
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-4.42% / 88.59%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted log data request messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

Action-Not Available
Vendor-Schneider Electric SE
Product-interactive_graphical_scada_systemIGSS Data Server (IGSSdataServer.exe)
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2018-7790
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-0.49% / 64.63%
||
7 Day CHG~0.00%
Published-29 Aug, 2018 | 21:00
Updated-16 Sep, 2024 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Information Management Error vulnerability exists in Schneider Electric's Modicon M221 product (all references, all versions prior to firmware V1.6.2.0). The vulnerability allows unauthorized users to replay authentication sequences. If an attacker exploits this vulnerability and connects to a Modicon M221, the attacker can upload the original program from the PLC.

Action-Not Available
Vendor-
Product-modicon_m221_firmwaremodicon_m221Modicon M221, all references, all versions prior to firmware V1.6.2.0
CWE ID-CWE-294
Authentication Bypass by Capture-replay
CVE-2022-32520
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-8||HIGH
EPSS-0.16% / 37.70%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-522: Insufficiently Protected Credentials vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. This CVE is unique from CVE-2022-32518. Affected Products: Data Center Expert (Versions prior to V7.9.0)

Action-Not Available
Vendor-Schneider Electric SE
Product-data_center_expertData Center Expert
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-32527
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-3.61% / 87.32%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted alarm cache data messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

Action-Not Available
Vendor-Schneider Electric SE
Product-interactive_graphical_scada_systemIGSS Data Server (IGSSdataServer.exe)
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2022-32518
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-8||HIGH
EPSS-0.16% / 37.70%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-522: Insufficiently Protected Credentials vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. This CVE is unique from CVE-2022-32520. Affected Products: Data Center Expert (Versions prior to V7.9.0)

Action-Not Available
Vendor-Schneider Electric SE
Product-data_center_expertData Center Expert
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-24311
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-3.70% / 87.48%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 22:04
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists that could cause modification of an existing file by inserting at beginning of file or create a new file in the context of the Data Server potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior)

Action-Not Available
Vendor-n/a
Product-interactive_graphical_scada_system_data_serverInteractive Graphical SCADA System Data Server (V15.0.0.22020 and prior)
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-32525
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-3.61% / 87.32%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted alarm data messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)

Action-Not Available
Vendor-Schneider Electric SE
Product-interactive_graphical_scada_systemIGSS Data Server (IGSSdataServer.exe)
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2014-5412
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-5||MEDIUM
EPSS-0.53% / 66.37%
||
7 Day CHG~0.00%
Published-18 Sep, 2014 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account.

Action-Not Available
Vendor-n/aSchneider Electric SEAVEVA
Product-clearscadascada_expert_clearscadan/a
CVE-2022-30237
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-8.2||HIGH
EPSS-0.10% / 29.20%
||
7 Day CHG~0.00%
Published-02 Jun, 2022 | 22:45
Updated-17 Sep, 2024 | 01:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-311: Missing Encryption of Sensitive Data vulnerability exists that could allow authentication credentials to be recovered when an attacker breaks the encoding. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)

Action-Not Available
Vendor-
Product-wiser_smart_eer21000wiser_smart_eer21001_firmwarewiser_smart_eer21000_firmwarewiser_smart_eer21001Wiser Smart
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2021-22768
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-0.59% / 68.18%
||
7 Day CHG~0.00%
Published-11 Jun, 2021 | 15:40
Updated-03 Aug, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-20: Improper Input Validation vulnerability exists in PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions) that could cause denial of service or remote code execution via a specially crafted HTTP packet.This CVE ID is unique from CVE-2021-22767

Action-Not Available
Vendor-n/a
Product-powerlogic_egx300_firmwarepowerlogic_egx100powerlogic_egx100_firmwarepowerlogic_egx300PowerLogic EGX100 (Versions 3.0.0 and newer) and PowerLogic EGX300 (All Versions)
CWE ID-CWE-20
Improper Input Validation
CVE-2022-30234
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.4||CRITICAL
EPSS-0.47% / 63.58%
||
7 Day CHG~0.00%
Published-02 Jun, 2022 | 22:45
Updated-16 Sep, 2024 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-798: Use of Hard-coded Credentials vulnerability exists that could allow arbitrary code to be executed when root level access is obtained. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)

Action-Not Available
Vendor-
Product-wiser_smart_eer21000wiser_smart_eer21001_firmwarewiser_smart_eer21000_firmwarewiser_smart_eer21001Wiser Smart
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2017-7575
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.38% / 86.87%
||
7 Day CHG~0.00%
Published-06 Apr, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Schneider Electric Modicon TM221CE16R 1.3.3.3 devices allow remote attackers to discover the application-protection password via a \x00\x01\x00\x00\x00\x05\x01\x5a\x00\x03\x00 request to the Modbus port (502/tcp). Subsequently the application may be arbitrarily downloaded, modified, and uploaded.

Action-Not Available
Vendor-n/aSchneider Electric SE
Product-modicon_tm221ce16r_firmwaremodicon_tm221ce16rn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2017-7689
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.23% / 86.55%
||
7 Day CHG~0.00%
Published-11 Apr, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Command Injection vulnerability in Schneider Electric homeLYnk Controller exists in all versions before 1.5.0.

Action-Not Available
Vendor-n/aSchneider Electric SE
Product-homelynk_controller_lss100100homelynk_controller_lss100100_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2017-7574
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.27% / 50.18%
||
7 Day CHG~0.00%
Published-06 Apr, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modicon TM221CE16R 1.3.3.3 devices have a hardcoded-key vulnerability. The Project Protection feature is used to prevent unauthorized users from opening an XML protected project file, by prompting the user for a password. This XML file is AES-CBC encrypted; however, the key used for encryption (SoMachineBasicSoMachineBasicSoMa) cannot be changed. After decrypting the XML file with this key, the user password can be found in the decrypted data. After reading the user password, the project can be opened and modified with the Schneider product.

Action-Not Available
Vendor-n/aSchneider Electric SE
Product-modicon_tm221ce16r_firmwaresomachinemodicon_tm221ce16rn/a
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2017-6028
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.23% / 45.71%
||
7 Day CHG~0.00%
Published-30 Jun, 2017 | 02:35
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Insufficiently Protected Credentials issue was discovered in Schneider Electric Modicon PLCs Modicon M241, all firmware versions, and Modicon M251, all firmware versions. Log-in credentials are sent over the network with Base64 encoding leaving them susceptible to sniffing. Sniffed credentials could then be used to log into the web application.

Action-Not Available
Vendor-n/aSchneider Electric SE
Product-modicon_m241modicon_m251modicon_m251_firmwaremodicon_m241_firmwareSchneider Electric Modicon PLCs
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-26507
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.70% / 90.86%
||
7 Day CHG~0.00%
Published-14 Apr, 2022 | 12:04
Updated-03 Aug, 2024 | 05:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A heap-based buffer overflow exists in XML Decompression DecodeTreeBlock in AT&T Labs Xmill 0.7. A crafted input file can lead to remote code execution. This is not the same as any of: CVE-2021-21810, CVE-2021-21811, CVE-2021-21812, CVE-2021-21815, CVE-2021-21825, CVE-2021-21826, CVE-2021-21828, CVE-2021-21829, or CVE-2021-21830. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Action-Not Available
Vendor-attn/a
Product-ecostruxure_process_expertecostruxure_control_expertremoteconnectxmillscadapack_470scadapack_570scadapack_574scadapack_575scadapack_474n/a
CWE ID-CWE-787
Out-of-bounds Write
CVE-2022-24324
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-2.32% / 84.15%
||
7 Day CHG~0.00%
Published-01 Feb, 2023 | 00:00
Updated-05 Feb, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22073)

Action-Not Available
Vendor-Schneider Electric SE
Product-interactive_graphical_scada_systemIGSS Data Server (IGSSdataServer.exe)
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2022-2329
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-3.09% / 86.26%
||
7 Day CHG~0.00%
Published-01 Feb, 2023 | 00:00
Updated-05 Feb, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-190: Integer Overflow or Wraparound vulnerability exists that could cause heap-based buffer overflow, leading to denial of service and potentially remote code execution when an attacker sends multiple specially crafted messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22073)

Action-Not Available
Vendor-Schneider Electric SE
Product-interactive_graphical_scada_systemIGSS Data Server (IGSSdataServer.exe)
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2022-24317
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-7.5||HIGH
EPSS-0.28% / 50.64%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 22:05
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-862: Missing Authorization vulnerability exists that could cause information exposure when an attacker sends a specific message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior)

Action-Not Available
Vendor-n/a
Product-interactive_graphical_scada_system_data_serverInteractive Graphical SCADA System Data Server (V15.0.0.22020 and prior)
CWE ID-CWE-862
Missing Authorization
CVE-2022-24318
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-7.5||HIGH
EPSS-0.10% / 28.35%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 22:05
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)

Action-Not Available
Vendor-n/a
Product-clearscadaecostruxure_geo_scada_expert_2020ecostruxure_geo_scada_expert_2019ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)
CWE ID-CWE-326
Inadequate Encryption Strength
CVE-2022-24316
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-7.5||HIGH
EPSS-0.32% / 54.66%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 22:05
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-665: Improper Initialization vulnerability exists that could cause information exposure when an attacker sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior)

Action-Not Available
Vendor-n/a
Product-interactive_graphical_scada_system_data_serverInteractive Graphical SCADA System Data Server (V15.0.0.22020 and prior)
CWE ID-CWE-665
Improper Initialization
CVE-2022-24313
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-4.71% / 88.94%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 22:04
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior)

Action-Not Available
Vendor-n/a
Product-interactive_graphical_scada_system_data_serverInteractive Graphical SCADA System Data Server (V15.0.0.22020 and prior)
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2022-24310
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-1.64% / 81.20%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 22:04
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-190: Integer Overflow or Wraparound vulnerability exists that could cause heap-based buffer overflow, leading to denial of service and potentially remote code execution when an attacker sends multiple specially crafted messages. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior)

Action-Not Available
Vendor-n/a
Product-interactive_graphical_scada_system_data_serverInteractive Graphical SCADA System Data Server (V15.0.0.22020 and prior)
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2022-24312
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-1.75% / 81.80%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 22:04
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists that could cause modification of an existing file by adding at end of file or create a new file in the context of the Data Server potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior)

Action-Not Available
Vendor-n/a
Product-interactive_graphical_scada_system_data_serverInteractive Graphical SCADA System Data Server (V15.0.0.22020 and prior)
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-22805
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-8.20% / 91.85%
||
7 Day CHG~0.00%
Published-09 Mar, 2022 | 19:30
Updated-03 Aug, 2024 | 03:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists that could cause remote code execution when an improperly handled TLS packet is reassembled. Affected Product: SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC Series ID=1018: UPS 04.2 and prior), SMTL Series (SMTL Series ID=1026: UPS 02.9 and prior), SCL Series (SCL Series ID=1029: UPS 02.5 and prior / SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior / SCL Series ID=1037: UPS 03.1 and prior), SMX Series (SMX Series ID=1031: UPS 03.1 and prior)

Action-Not Available
Vendor-
Product-scl_series_1036_upssmc_series_1018_ups_firmwaresmtl_series_1026_upsscl_series_1029_ups_firmwaresmt_series_1015_upssmtl_series_1026_ups_firmwarescl_series_1030_ups_firmwaresmt_series_1015_ups_firmwaresmx_series_1031_ups_firmwaresmx_series_1031_upsscl_series_1037_ups_firmwarescl_series_1037_upsscl_series_1036_ups_firmwaresmc_series_1018_upsscl_series_1030_upsscl_series_1029_upsSmartConnect
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2022-22731
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-6.5||MEDIUM
EPSS-0.23% / 45.63%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-05 Feb, 2025 | 20:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in a function that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause path traversal attacks. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)

Action-Not Available
Vendor-Schneider Electric SE
Product-ecostruxure_power_commissionEcoStruxure Power Commission
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-22813
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 60.36%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 22:05
Updated-03 Aug, 2024 | 03:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-798: Use of Hard-coded Credentials vulnerability exists. If an attacker were to obtain the TLS cryptographic key and take active control of the Courier tunneling communication network, they could potentially observe and manipulate traffic associated with product configuration.

Action-Not Available
Vendor-n/a
Product-easergy_p746_firmwareeasergy_p742easergy_p849easergy_p441easergy_p142_firmwareeasergy_p546easergy_p543easergy_p541easergy_p143_firmwareeasergy_p141easergy_p342easergy_p542easergy_p241_firmwareeasergy_p545_firmwareeasergy_p243_firmwareeasergy_p446easergy_p741easergy_p642easergy_p541_firmwareeasergy_p342_firmwareeasergy_p645easergy_p345_firmwareeasergy_p743easergy_p145easergy_p343_firmwareeasergy_p849_firmwareeasergy_p643_firmwareeasergy_p242_firmwareeasergy_p545easergy_p344easergy_p142easergy_p442easergy_p544easergy_p143easergy_p441_firmwareeasergy_p743_firmwareeasergy_p542_firmwareeasergy_p645_firmwareeasergy_p242easergy_p841easergy_p343easergy_p543_firmwareeasergy_p443_firmwareeasergy_p446_firmwareeasergy_p445_firmwareeasergy_p341_firmwareeasergy_p742_firmwareeasergy_p444_firmwareeasergy_p445easergy_p444easergy_p642_firmwareeasergy_p341easergy_p544_firmwareeasergy_p442_firmwareeasergy_p741_firmwareeasergy_p141_firmwareeasergy_p841_firmwareeasergy_p241easergy_p344_firmwareeasergy_p746easergy_p643easergy_p546_firmwareeasergy_p145_firmwareeasergy_p443easergy_p345easergy_p243Easergy P40 Series model numbers with Ethernet option bit as Q, R, S (All PX4X firmware Versions)
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2022-22806
Matching Score-8
Assigner-Schneider Electric
ShareView Details
Matching Score-8
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-0.23% / 45.30%
||
7 Day CHG~0.00%
Published-09 Mar, 2022 | 19:30
Updated-03 Aug, 2024 | 03:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent. Affected Product: SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC Series ID=1018: UPS 04.2 and prior), SMTL Series (SMTL Series ID=1026: UPS 02.9 and prior), SCL Series (SCL Series ID=1029: UPS 02.5 and prior / SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior / SCL Series ID=1037: UPS 03.1 and prior), SMX Series (SMX Series ID=1031: UPS 03.1 and prior)

Action-Not Available
Vendor-
Product-scl_series_1036_upssmc_series_1018_ups_firmwaresmtl_series_1026_upsscl_series_1029_ups_firmwaresmt_series_1015_upssmtl_series_1026_ups_firmwarescl_series_1030_ups_firmwaresmt_series_1015_ups_firmwaresmx_series_1031_ups_firmwaresmx_series_1031_upsscl_series_1037_ups_firmwarescl_series_1037_upsscl_series_1036_ups_firmwaresmc_series_1018_upsscl_series_1030_upsscl_series_1029_upsSmartConnect
CWE ID-CWE-294
Authentication Bypass by Capture-replay
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 7
  • 8
  • Next
Details not found