Vulnerabilities > Schneider Electric > Ecostruxure Control Expert
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-14 | CVE-2023-27975 | Unspecified vulnerability in Schneider-Electric products CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized access to the project file in EcoStruxure Control Expert when a local user tampers with the memory of the engineering workstation. | 7.1 |
| 2024-02-14 | CVE-2023-6409 | Unspecified vulnerability in Schneider-Electric products CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to a project file protected with application password when opening the file with EcoStruxure Control Expert. | 7.7 |
| 2023-04-18 | CVE-2023-1548 | Unspecified vulnerability in Schneider-Electric Ecostruxure Control Expert 15.1 A CWE-269: Improper Privilege Management vulnerability exists that could cause a local user to perform a denial of service through the console server service that is part of EcoStruxure Control Expert. | 5.5 |
| 2023-04-18 | CVE-2023-27976 | Unspecified vulnerability in Schneider-Electric Ecostruxure Control Expert 15.1 A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause remote code execution when a valid user visits a malicious link provided through the web endpoints. | 8.8 |
| 2023-01-31 | CVE-2022-45789 | Unspecified vulnerability in Schneider-Electric products A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. | 9.8 |
| 2023-01-30 | CVE-2022-45788 | Unspecified vulnerability in Schneider-Electric products A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause arbitrary code execution, denial of service and loss of confidentiality & integrity when a malicious project file is loaded onto the controller. | 9.8 |
| 2022-09-13 | CVE-2022-37302 | Unspecified vulnerability in Schneider-Electric Ecostruxure Control Expert 15.1 A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a crash of the Control Expert software when an incorrect project file is opened. | 5.5 |
| 2022-09-12 | CVE-2022-37300 | Unspecified vulnerability in Schneider-Electric products A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. | 9.8 |
| 2022-04-14 | CVE-2022-26507 | Out-of-bounds Write vulnerability in multiple products A heap-based buffer overflow exists in XML Decompression DecodeTreeBlock in AT&T Labs Xmill 0.7. | 9.8 |
| 2022-04-13 | CVE-2021-22797 | Unspecified vulnerability in Schneider-Electric products A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file is loaded in the engineering software. | 7.8 |