TROYANOSYVIRUS
Back to CVEs

CVE-2020-28221

CRITICAL
9.8

Description

A CWE-20: Improper Input Validation vulnerability exists in EcoStruxure™ Operator Terminal Expert and Pro-face BLUE (version details in the notification) that could cause arbitrary code execution when the Ethernet Download feature is enable on the HMI.

CVE Details

CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published1/26/2021
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0

Affected Products

schneider-electric:ecostruxure_operator_terminal_expertschneider-electric:gp-4104gschneider-electric:gp-4104wschneider-electric:gp-4105gschneider-electric:gp-4105wschneider-electric:gp-4106gschneider-electric:gp-4106wschneider-electric:gp-4107gschneider-electric:gp-4107wschneider-electric:hmi_sto_501schneider-electric:hmi_sto_511schneider-electric:hmi_sto_512schneider-electric:hmi_sto_531schneider-electric:hmi_sto_532schneider-electric:hmig3uschneider-electric:hmig3xschneider-electric:hmig5uschneider-electric:hmig5u2schneider-electric:hmist6200schneider-electric:hmist6400schneider-electric:hmist6500schneider-electric:hmist6600schneider-electric:hmist6700schneider-electric:pro-face_blueschneider-electric:sp-5400waschneider-electric:sp-5500tpschneider-electric:sp-5500waschneider-electric:sp-5600taschneider-electric:sp-5600tpschneider-electric:sp-5600waschneider-electric:sp-5660tpschneider-electric:sp-5700tpschneider-electric:sp-5700wcschneider-electric:sp-5800wcschneider-electric:sp-5b00schneider-electric:sp-5b10schneider-electric:sp-5b41schneider-electric:st-6200waschneider-electric:st-6400waschneider-electric:st-6500waschneider-electric:st-6600waschneider-electric:st-6700wa

Weaknesses (CWE)

CWE-20

References

https://www.se.com/ww/en/download/document/SEVD-2021-012-01/(cybersecurity@se.com)
https://www.se.com/ww/en/download/document/SEVD-2021-012-01/(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.