CVE-2021-22779 — CRITICAL (9.1)

Q: How severe is CVE-2021-22779?

CVE-2021-22779 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2021-22779?

Check the references section above for vendor advisories and patch information. Affected products include: Schneider-Electric Ecostruxure Control Expert, Schneider-Electric Ecostruxure Process Expert, Schneider-Electric Remoteconnect, Schneider-Electric Modicon M580 Bmep581020 Firmware, Schneider-Electric Modicon M580 Bmep581020.

Vulnerability Description

Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), SCADAPack RemoteConnect for x70 (all versions), Modicon M580 CPU (all versions - part numbers BMEP* and BMEH*), Modicon M340 CPU (all versions - part numbers BMXP34*), that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Schneider-Electric	Ecostruxure Control Expert	< 15.0
Schneider-Electric	Ecostruxure Process Expert	All versions
Schneider-Electric	Remoteconnect	All versions
Schneider-Electric	Modicon M580 Bmep581020 Firmware	All versions
Schneider-Electric	Modicon M580 Bmep581020	-
Schneider-Electric	Modicon M580 Bmep581020H Firmware	All versions
Schneider-Electric	Modicon M580 Bmep581020H	-
Schneider-Electric	Modicon M580 Bmep582020 Firmware	All versions
Schneider-Electric	Modicon M580 Bmep582020	-
Schneider-Electric	Modicon M580 Bmep582020H Firmware	All versions
Schneider-Electric	Modicon M580 Bmep582020H	-
Schneider-Electric	Modicon M580 Bmep582040 Firmware	All versions
Schneider-Electric	Modicon M580 Bmep582040	-
Schneider-Electric	Modicon M580 Bmep582040H Firmware	All versions
Schneider-Electric	Modicon M580 Bmep582040H	-
Schneider-Electric	Modicon M580 Bmep582040S Firmware	All versions
Schneider-Electric	Modicon M580 Bmep582040S	-
Schneider-Electric	Modicon M580 Bmep583020 Firmware	All versions
Schneider-Electric	Modicon M580 Bmep583020	-
Schneider-Electric	Modicon M580 Bmep583040 Firmware	All versions

Related Weaknesses (CWE)

CWE-290

References

http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-01Vendor Advisory
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-01Vendor Advisory

FAQ

What is CVE-2021-22779?

CVE-2021-22779 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoSt...

How severe is CVE-2021-22779?

CVE-2021-22779 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-22779?

Check the references section above for vendor advisories and patch information. Affected products include: Schneider-Electric Ecostruxure Control Expert, Schneider-Electric Ecostruxure Process Expert, Schneider-Electric Remoteconnect, Schneider-Electric Modicon M580 Bmep581020 Firmware, Schneider-Electric Modicon M580 Bmep581020.