CVE-2017-6026 — Vulnetix

Try Vulnetix Request Demo

CVE-2017-6026 PUBLISHED CVSS 9.100000381469727 CRITICAL

A Use of Insufficiently Random Values issue was discovered in Schneider Electric Modicon PLCs Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The session numbers generated by the web application are lacking randomization and are shared between several users. This may allow a current session to be compromised.

EPSS 18.57% · 95.2th percentile

Risk Scores

CVSS v3.1

9.100000381469727

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

18.57%

95.2th percentile

Affected Products

Vendor	Product	Versions
schneider-electric	modicon_m251_firmware	0
n/a	Schneider Electric Modicon PLCs	Schneider Electric Modicon PLCs
schneider-electric	modicon_m241_firmware	0

Timeline

Feb 17, 2017 CVE Published
Nov 30, 2018 PoC Published
Dec 1, 2018 PoC Published
Apr 14, 2021 EPSS Score
Jun 22, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Dec 25, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Apr 28, 2022 EPSS Score
Jun 29, 2022 EPSS Score
Aug 31, 2022 EPSS Score
Nov 1, 2022 EPSS Score

References

https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02 url
97254 vdb
45918 exploit
https://nvd.nist.gov/vuln/detail/CVE-2017-6026 advisory
https://www.exploit-db.com/exploits/45918 url

Open in Interactive Console →