VDB
SEVD-2020-315-07
SEVD-2020-315-07
PUBLISHED
CVSS 10 CRITICAL
Schneider Electric is aware of multiple vulnerabilities in its PLC Simulator for EcoStruxure™ Control Expert product. PLC Simulator feature is part of the EcostruxureTM Control Expert and EcostruxureTM Process Expert software and it helps users to review and test their configurations files in a simulation environment; it is not intended to be used as a controller CPU in a production environment. Failure to apply the mitigations provided below may risk unauthorized command execution or denial of service, which could result in undesired actions by the PLC simulator software. March 2023 Update: An additional mitigation has been provided using a Cybersecurity Application Note (page 3).
Risk Scores
CVSS v3.1
10
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Schneider Electric PLC Simulator for EcoStruxure™ Process Expert all versions | ||
| Schneider Electric PLC Simulator for EcoStruxure™ Control Expert prior to v15.0 SP1 | ||
| Schneider Electric PLC Simulator for Unity Pro (former name of EcoStruxure™ Control Expert) all versions | ||
| Schneider Electric EcoStruxure™ Control Expert 15.0 SP1 |
Timeline
- Nov 10, 2020 CVE Published
- Mar 14, 2023 CVE Updated
References
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-315-07&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2020-315-07_PLC_Simulator_on_EcoStruxure%E2%84%A2_Control_Expert_and_Process_Expert_Security_Notification.pdf advisory
- https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-315-07&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2020-315-07.json advisory
- https://www.se.com/us/en/download/document/7EN52-0390/ url
- https://www.se.com/ww/en/download/document/EcoStruxureControlExpert_15SP1 fix