CVE-2022-37300 — CRITICAL (9.8)

Q: How severe is CVE-2022-37300?

CVE-2022-37300 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-37300?

Check the references section above for vendor advisories and patch information. Affected products include: Schneider-Electric Ecostruxure Control Expert, Schneider-Electric Ecostruxure Process Expert, Schneider-Electric Modicon M340 Bmxp341000 Firmware, Schneider-Electric Modicon M340 Bmxp341000, Schneider-Electric Modicon M340 Bmxp342000 Firmware.

Vulnerability Description

A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34*) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*) (V3.20 and prior).

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Schneider-Electric	Ecostruxure Control Expert	< 15.1
Schneider-Electric	Ecostruxure Process Expert	<= 2021
Schneider-Electric	Modicon M340 Bmxp341000 Firmware	< 3.50
Schneider-Electric	Modicon M340 Bmxp341000	-
Schneider-Electric	Modicon M340 Bmxp342000 Firmware	< 3.50
Schneider-Electric	Modicon M340 Bmxp342000	-
Schneider-Electric	Modicon M340 Bmxp342010 Firmware	< 3.50
Schneider-Electric	Modicon M340 Bmxp342010	-
Schneider-Electric	Modicon M340 Bmxp3420102 Firmware	< 3.50
Schneider-Electric	Modicon M340 Bmxp3420102	-
Schneider-Electric	Modicon M340 Bmxp342020 Firmware	< 3.50
Schneider-Electric	Modicon M340 Bmxp342020	-
Schneider-Electric	Modicon M340 Bmxp342020H Firmware	< 3.50
Schneider-Electric	Modicon M340 Bmxp342020H	-
Schneider-Electric	Modicon M340 Bmxp342030 Firmware	< 3.50
Schneider-Electric	Modicon M340 Bmxp342030	-
Schneider-Electric	Modicon M340 Bmxp3420302 Firmware	< 3.50
Schneider-Electric	Modicon M340 Bmxp3420302	-
Schneider-Electric	Modicon M340 Bmxp3420302H Firmware	< 3.50
Schneider-Electric	Modicon M340 Bmxp3420302H	-

Related Weaknesses (CWE)

CWE-640

References

https://www.se.com/us/en/download/document/SEVD-2022-221-01/PatchVendor Advisory
https://www.se.com/us/en/download/document/SEVD-2022-221-01/PatchVendor Advisory

FAQ

What is CVE-2022-37300?

CVE-2022-37300 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Af...

How severe is CVE-2022-37300?

CVE-2022-37300 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-37300?

Check the references section above for vendor advisories and patch information. Affected products include: Schneider-Electric Ecostruxure Control Expert, Schneider-Electric Ecostruxure Process Expert, Schneider-Electric Modicon M340 Bmxp341000 Firmware, Schneider-Electric Modicon M340 Bmxp341000, Schneider-Electric Modicon M340 Bmxp342000 Firmware.