Recommended cybersecurity best practices
Stay informed about the latest security notifications
|
|
|
|
|
|
|
|
|---|---|---|---|---|---|---|
| 2025/07/08 | ​​EcoStruxure™ IT Data Center Expert​ |
CVE-2025-6438 CVE-2025-50121 CVE-2025-50122 CVE-2025-50123 CVE-2025-50124 CVE-2025-50125 |
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-269: Improper Privilege Management CWE-331: Insufficient Entropy CWE-611: Improper Restriction of XML External Entity Reference CWE-918: Server-Side Request Forgery (SSRF) |
EcoStruxureâ„¢ IT Data Center Expert Versions 8.3 and prior (Versions 8.3 and prior) (Formerly known as StruxureWare Data Center Expert) |
SEVD-2025-189-01 PDF | SEVD-2025-189-01 CSAF |
| 2025/07/08 | System Monitor Application in Harmony and Pro-face PS5000 Legacy Industrial PCs | Schneider Electric is aware of a third-party vulnerability disclosed by GitHub affecting the jQuery component used in its HMI products. |
System Monitor application in Harmony Industrial PC HMIBMO/HMIBMI/ HMIPSO/HMIBMP/ HMIBMU/HMIPSP/HMIPEP series (All versions) System Monitor application in Pro-face Industrial PC PS5000 series (All versions) |
SEVD-2025-189-02 PDF | SEVD-2025-189-02 CSAF | |
| 2025/07/08 | ​​EcoStruxure™ Power Operation​ | Schneider Electric is aware of multiple vulnerabilities disclosed in PostgreSQL. |
EcoStruxureâ„¢ Power Operation (EPO) 2022 (CU6 and prior) EcoStruxureâ„¢ Power Operation (EPO) 2024 (CU1 and prior) |
SEVD-2025-189-03 PDF | SEVD-2025-189-03 CSAF | |
| 2025/07/08 | EcoStruxureâ„¢ Power Monitoring Expert (PME) and EcoStruxureâ„¢ Power Operation (EPO) with Advanced Reporting and Dashboards | CVE-2025-6788 | CWE-668: Exposure of Resource to Wrong Sphere |
EcoStruxureâ„¢ Power Monitoring Expert (PME) (Version 2023, Version 2023 R2, Version 2024, Version 2024 R2) EcoStruxureâ„¢ Power Operation (EPO) Advanced Reporting and Dashboards Module (Version 2022 w/ Advanced Reporting Module, Version 2024 w/ Advanced Reporting Module) |
SEVD-2025-189-04 PDF | SEVD-2025-189-04 CSAF |
| 2025/07/08 | EVLink WallBox​ |
CVE-2025-5740 CVE-2025-5741​ CVE-2025-5742​ CVE-2025-5743 |
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-78: Improper Neutralization of Special Elements used in an OS ('OS Command Injection') CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
EVLink WallBox (All versions) | SEVD-2025-161-03 (V1.1) PDF | SEVD-2025-161-03 (V1.1) CSAF |
| 2025/07/08 | Modicon Controllers M241/M251/M258/LMC058/M262 |
CVE-2025-3112 CVE-2025-3116 CVE-2025-3117 CVE-2025-3898 CVE-2025-3899 CVE-2025-3905 |
CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting’) CWE-400: Uncontrolled Resource Consumption |
Modicon Controllers M241/M251 Modicon Controllers M262 Modicon Controllers M258 / LMC058 See Security Notification for specific product versions affected. |
SEVD-2025-161-02 (V2.0) PDF | SEVD-2025-161-02 (V2.0) CSAF |
| 2025/07/08 | Modicon Controllers M241/M251/M258/LMC058 | CVE-2025-2875 | CWE-610: Externally Controlled Reference to a Resource in Another Sphere |
Modicon Controllers M241 / M251 (Versions prior to v5.3.12.48)  Modicon Controllers M258 / LMC058 (All versions) |
SEVD-2025-133-01 (V2.0) PDF | SEVD-2025-133-01 (V2.0) PDF |
| 2025/07/08 | Uni-Telway driver used in EcoStruxure™ Control Expert​, EcoStruxure™ Process Expert, EcoStruxure™ Process Expert for AVEVA System Platform and OPC Factory Server​​ | CVE-2024-10083 | CWE-20: Improper Input Validation |
Uni-Telway driver Uni-Telway driver used in EcoStruxureâ„¢ Control Expert Uni-Telway driver used in EcoStruxureâ„¢ Process Expert Uni-Telway driver used in EcoStruxureâ„¢ Process Expert for AVEVA System Platform Uni-Telway driver used in OPC Factory Server See Security Notification for specific product versions affected. |
SEVD-2025-042-02 (V2.0) PDF | SEVD-2025-042-02 (V2.0) CSAF |
| 2025/07/08 | FlexNet Publisher Vulnerability | Schneider Electric is aware of a vulnerability disclosed on Revenera FlexNet Publisher component. |
EcoStruxureâ„¢ Process Expert EcoStruxureâ„¢ OPC UA Server Expert EcoStruxureâ„¢ Control Expert Asset Link EcoStruxureâ„¢ Machine SCADA Expert Asset Link EcoStruxureâ„¢ Architecture Builder EcoStruxureâ„¢ Operator Terminal Expert EcoStruxureâ„¢ Machine Expert including EcoStruxureâ„¢ Machine Expert Safety EcoStruxureâ„¢ Machine Expert Twin EcoStruxureâ„¢ Process Expert for AVEVA System Platform Pro-Face BLUE Vijeo Designer Zelio Soft 2 |
SEVD-2025-014-07 (V3.0) PDF | SEVD-2025-014-07 (V3.0) | |
| 2025/07/08 | Vijeo Designer ​ | CVE-2024-6918 | CWE-269: Improper Privilege Management  |
Vijeo Designer (Versions prior to V6.3 SP1 ) Vijeo Designer embedded in EcoStruxureâ„¢ Machine Expert (Versions prior to v2.3) |
SEVD-2024-254-01 (V2.0) PDF | SEVD-2024-254-01 (V2.0) CSAF |
| 2025/06/10 | ​​Insight Home and Insight Facility​ | Schneider Electric is aware of a vulnerability in a third-party Real-Time Operating System (RTOS) component utilized in the Insight Home and Insight Facility products. | Insight Home, Insight Facility (All versions) | SEVD-2025-161-01 PDF | SEVD-2025-161-01 CSAF | |
| 2025/05/13 | ​Wiser Home Automation | Schneider Electric is aware of a vulnerability disclosed in the Silicon Labs Gecko Bootloader used in the ​Wiser AvatarOn 6K Freelocate and Wiser Cuadro H 5P Socket​ products. |
Wiser AvatarOn 6K Freelocate (All versions) Wiser Cuadro H 5P Socket (All versions) |
SEVD-2025-133-02 PDF | SEVD-2025-133-02 CSAF | |
| 2025/05/13 | ​​EcoStruxure™ Power Build Rapsody​ | CVE-2025-3916 | CWE-121: Stack-based Buffer Overflow | EcoStruxure™ Power Build Rapsody software (v2.7.12 FR and prior) | SEVD-2025-133-03 PDF | SEVD-2025-133-03 CSAF |
| 2025/05/13 | PrismaSeT Active - Wireless Panel Server​ | Schneider Electric is aware of a vulnerability disclosed in the Silicon Labs Gecko Bootloader used in the PrismaSet Active – Wireless Panel Server. | ​​PrismaSeT Active - Wireless Panel Server​ (All versions) | SEVD-2025-133-04 PDF | SEVD-2025-133-04 CSAF | |
| 2025/05/13 | ​​Galaxy VS, Galaxy VL, Galaxy VXL​ | Schneider Electric is aware of a vulnerability disclosed on the Erlang/OTP’s SSH Server component used Schneider Electric Galaxy VS, VL, and VXL. |
Galaxy VS (All versions) Galaxy VL (All versions) Galaxy VXL (All versions) |
SEVD-2025-133-05 PDF | SEVD-2025-133-05 CSAF | |
| 2025/05/13 | ConneXium Network Manager |
CVE-2025-2222 CVE-2025-2223 |
CWE-20: Improper Input Validation CWE-552: Files or Directories Accessible to External Parties |
ConneXium Network Manager See Security Notification for specific product versions affected. |
SEVD-2025-098-01 (V1.1) PDF | SEVD-2025-098-01 (V1.1) CSAF |
| 2025/05/13 | ​​EcoStruxure™ Power Build Rapsody​ | CVE-2024-11139 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer |
EcoStruxureâ„¢ Power Build Rapsody See Security Notification for specific product versions affected. |
SEVD-2025-014-09 (V2.0) PDF | SEVD-2025-014-09 (V2.0) CSAF |
| 2025/04/08 | ​​Trio™ Q Licensed Data Radios​ |
CVE-2025-2440 CVE-2025-2441 CVE-2025-2442 |
CWE-922: Insecure Storage of Sensitive Information CWE-1188: Incorrect Initialization of Resource |
Trioâ„¢ Q Licensed Data Radio (Versions prior to v2.7.2) | SEVD-2025-098-02 PDF | SEVD-2025-098-02 CSAF |
| 2025/04/08 | ​​Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC​ | CVE-2024-11425 | CWE-131: Incorrect Calculation of Buffer Size |
Modicon M580 CPU (part numbers BMEP* and BMEH*, excluding M580 CPU Safety) Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) BMENOR2200H EVLink Pro AC See Security Notification for specific product versions affected. |
SEVD-2025-014-01 (V2.0) PDF | SEVD-2025-014-01 (V2.0) CSAF |
| 2025/04/08 | ​​Wind River VxWorks DHCP Server Vulnerability | Schneider Electric is aware of a vulnerability within the VxWorks Operating System from Wind River. |
Modicon M580 communication modules BMENOC Modicon M580 communication modules BMECRA Modicon M580/Quantum communication modules BMXCRA Modicon Quantum communication modules 140CRA See Security Notification for specific product versions affected. |
SEVD-2025-014-03 (V2.0) PDF | SEVD-2025-014-03 (V2.0) CSAF | |
| 2025/04/08 | Modicon Controllers M340 / Momentum / MC80 |
CVE-2024-8936 CVE-2024-8937 CVE-2024-8938 |
CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119: Improper Restriction of Operations |
Modicon M340 CPU (part numbers BMXP34*) Modicon MC80 (part numbers BMKC80) Modicon Momentum Unity M1E Processor (171CBU*) See Security Notification for specific product versions affected. |
SEVD-2024-317-03 (V2.0) PDF | SEVD-2024-317-03 (V2.0) CSAF |
| 2025/04/08 | BadAlloc Vulnerabilities |
CVE-2020-28895 CVE-2020-35198 CVE-2021-22156 |
Schneider Electric is aware of multiple memory allocation vulnerabilities dubbed ‘BadAlloc’, disclosed by Microsoft on April 29, 2021. The impact of a successful exploitation of the vulnerabilities may result in denial of service, or remote code execution, depending on the context. | See Security Notification for offer specific information. | SEVD-2021-313-05 (V26.0) PDF | SEVD-2021-313-05 (V26.0) CSAF |
| 2025/03/11 | ​​EcoStruxure™ Panel Server​ | CVE-2025-2002 | CWE-532: Insertion of Sensitive Information into Log Files | EcoStruxure™ Panel Server (v2.0 and prior) | SEVD-2025-070-01 PDF | SEVD-2025-070-01 CSAF |
| 2025/03/11 | ​​EPAS-UI & EcoSUI​ | CVE-2025-0813​ | CWE-287: Improper Authentication | EcoStruxure™ Power Automation System User Interface (EPAS-UI) - Secured Versions (v2.1 up to and including v2.9) | SEVD-2025-070-02 PDF | SEVD-2025-070-02 CSAF |
| 2025/03/11 | ​WebHMI Component For EcoStruxure™ Power Automation System User Interface and EcoStruxure™ Microgrid Operation Large | CWE-1188: Initialization of a Resource with an Insecure Default  | WebHMI – Deployed with EcoStruxure™ Power Automation System (WebHMI v4.1.0.0 and prior when deployed with EPAS User Interface 2.6.30.19 and prior) | SEVD-2025-070-03 PDF | SEVD-2025-070-03 CSAF | |
| 2025/03/11 | Modicon Controllers M241 / M251Modicon Controllers M258 / LMC058 | CVE-2024-11737 | CWE-20: Improper Input Validation |
Modicon Controllers M241 / M251 (Versions prior to v5.2.11.29) Modicon Controllers M258 / LMC058 (All versions) |
SEVD-2024-345-03 (V2.0) PDF | SEVD-2024-345-03 (V2.0) CSAF |
| 2025/03/11 | EcoStruxure™ Power Monitoring Expert (PME) | CVE-2024-9005 | CWE-502: Deserialization of Untrusted Data | EcoStruxure™ Power Monitoring Expert (PME) (Version 2022 and prior) | SEVD-2024-282-05 (V1.1) PDF | SEVD-2024-282-05 (V1.1) CSAF |
| 2025/02/11 | ​​ASCO 5310 / 5350 Remote Annunciator​ |
CVE-2025-1058 CVE-2025-1059 CVE-2025-1060 CVE-2025-1070 |
CWE-319: Cleartext Transmission of Sensitive Information CWE-434: Unrestricted Upload of File with Dangerous Type CWE-494: Download of Code Without Integrity Check CWE-770: Allocation of Resources Without Limits or Throttling |
ASCO 5310 Single-Channel Remote Annunciator (All versions) ASCO 5350 Eight Channel Remote Annunciator (All versions) |
SEVD-2025-042-01 PDF | SEVD-2025-042-01 CSAF |
| 2025/02/11 | ​EcoStruxure™ Process Expert, EcoStruxure™ Process Expert for AVEVA System Platform​ | CVE-2025-0327 | CWE-269: Improper Privilege Management |
EcoStruxureâ„¢ Process Expert (Versions 2020R2, 2021 & 2023 (prior to v4.8.0.5715)) EcoStruxureâ„¢ Process Expert for AVEVA System Platform (Versions 2020R2, 2021 & 2023) |
SEVD-2025-042-03 PDF | SEVD-2025-042-03 CSAF |
| 2025/02/11 | Enerlin’X IFE and eIFE |
CVE-2025-0816 CVE-2025-0815 CVE-2025-0814 |
CWE-20: Improper Input Validation |
Enerlin’X IFE interface (LV434001) (All versions) Enerlin’X eIFE (LV851001) (All versions) |
SEVD-2025-042-04 PDF | SEVD-2025-042-04 CSAF |
| 2025/02/11 | Modicon Controllers |
CVE-2018-7842 CVE-2018-7843 CVE-2018-7844 CVE-2018-7845 CVE-2018-7846 CVE-2018-7847 CVE-2018-7848 CVE-2018-7849 CVE-2018-7850 CVE-2018-7852 CVE-2018-7853 CVE-2018-7854 CVE-2018-7855 CVE-2018-7856 CVE-2018-7857 CVE-2019-6806 CVE-2019-6807 CVE-2019-6808 CVE-2019-6809 CVE-2019-6828 CVE-2019-6829 CVE-2019-6830 |
CWE-125: Out-of-bounds Read CWE-200: Information Exposure CWE-248: Uncaught Exception CWE-284: Improper Access Control CWE-290: Authentication Bypass by Spoofing CWE-501: Trust Boundary Violation CWE-807: Reliance on Untrusted Inputs in a Security Decision |
Modicon M340 Modicon M580 Modicon MC80 Modicon Momentum Unity M1E Processor (part numbers 171CBU*) Modicon Premium Modicon Quantum PLC Simulator for EcoStruxureâ„¢ Control Expert See Security Notification for specific product versions affected. |
SEVD-2019-134-11 (V12.0) PDF | SEVD-2019-134-11 (V12.0) CSAF |
| 2025/01/14 | ​​Pro-face GP-Pro EX and Remote HMI​ | CVE-2024-12399​ | CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel |
Pro-face GP-Pro EX (All versions) Pro-face Remote HMI (All versions) |
SEVD-2025-014-02 PDF | SEVD-2025-014-02 CSAF |
| 2025/01/14 | ​​Web Designer for Modicon Communication Modules​ | CVE-2024-12476 | CWE-611: Improper Restriction of XML External Entity Reference |
Web Designer for BMXNOR0200H Web Designer for BMXNOE0110(H) Web Designer for BMENOC0311(C) Web Designer for BMENOC0321(C) See Security Notification for specific product versions affected. |
SEVD-2025-014-04 PDF | SEVD-2025-014-04 CSAF |
| 2025/01/14 | ​​Web Server on Modicon M340 and BMXNOE0100/0110, BMXNOR0200H Communication Modules​ | CVE-2024-12142 | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
Modicon M340 processors (part numbers BMXP34*) BMXNOE0100 BMXNOE0110 BMXNOR0200H See Security Notification for specific product versions affected. |
SEVD-2025-014-05 PDF | SEVD-2025-014-05 CSAF |
| 2025/01/14 | ​​RemoteConnect and SCADAPack™ x70 Utilities​ | CVE-2024-12703 | CWE-502: Deserialization of untrusted data | RemoteConnect and SCADAPack™ x70 Utilities (All versions) | SEVD-2025-014-06 PDF | SEVD-2025-014-06 CSAF |
| 2025/01/14 | ​​PowerLogic™ HDPM6000 High-Density Metering System​ |
CVE-2024-10497 CVE-2024-10498 |
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-639: Authorization Bypass Through User-Controlled Key |
​​PowerLogic™ HDPM6000 Version v0.62.7 only (CVE-2024-10497) PowerLogic™ HDPM6000 Versions v0.62.7 and prior (CVE-2024-10498) |
SEVD-2025-014-08 PDF | SEVD-2025-014-08 CSAF |
| 2024/12/10 | ​​PowerChute Serial Shutdown​ | CVE-2024-10511 | CWE-287: Improper Authentication | PowerChute Serial Shutdown (Versions v1.2.0.301 and prior) | SEVD-2024-345-01 PDF | SEVD-2024-345-01 CSAF |
| 2024/12/10 | ​​Harmony HMI and Pro-face HMI products​ | CVE-2024-11999 | CWE-1104: Use of Unmaintained Third-Party Components |
Harmony (Formerly Magelis) HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7 series with EcoStruxureâ„¢ Operator Terminal Expert runtime (All versions) PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100 series with Pro-face BLUE runtime (All versions) See Security Notification for specific product versions affected. |
SEVD-2024-345-02 PDF | SEVD-2024-345-02 CSAF |
| 2024/11/12 | ​​PowerLogic PM5300 Series​ | CVE-2024-9409 | CWE-400: An Uncontrolled Resource Consumption |
PowerLogic PM5320 PowerLogic PM5340 PowerLogic PM5341 See Security Notification for specific product versions affected. |
SEVD-2024-317-01 PDF | SEVD-2024-317-01 CSAF |
| 2024/11/12 | ​​Modicon Controllers M340 / Momentum / MC80​ |
CVE-2024-8933 CVE-2024-8935 |
CWE-290: Authentication Bypass by Spoofing CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel |
Modicon M340 CPU (part numbers BMXP34*) Modicon MC80 (part numbers BMKC80) Modicon Momentum Unity M1E Processor (171CBU*) See Security Notification for specific product versions affected. |
SEVD-2024-317-02 PDF | SEVD-2024-317-02 CSAF |
| 2024/11/12 | ​EcoStruxure™ IT Gateway | CVE-2024-10575 | CWE-862: Missing Authorization | EcoStruxure™ IT Gateway (Versions 1.21.0.6, 1.22.0.3, 1.22.1.5, 1.23.0.4) | SEVD-2024-317-04 PDF | SEVD-2024-317-04 CSAF |
| 2024/11/12 | PowerLogic PM55xx and PowerLogic PM8ECC |
CVE-2021-22763 CVE-2021-22764 |
CWE-640: Weak Password Recovery Mechanism for Forgotten Password CWE-287: Improper Authentication |
PM5560 PM5561 PM5562 PM5563 PM8ECC See Security Notification for specific product versions affected. |
SEVD-2021-159-02 (V2.0) PDF | SEVD-2021-159-02 (V2.0) CSAF |
| 2024/10/08 | ​​Data Center Expert​ |
CVE-2024-8531 CVE-2024-8530 |
CWE-347: Improper Verification of Cryptographic Signature CWE-306: Missing Authentication for Critical Function  |
Data Center Expert (Versions 8.1.1.3 and prior) | SEVD-2024-282-01 PDF | SEVD-2024-282-01 CSAF |
| 2024/10/08 | ​​Harmony iPC – HMIBSC IIoT Edge Box Core​ | The third-party Yocto OS (v2.1 Krogoth) is used in the HMIBSC offer. It is known to contain multiple high and critical risk vulnerabilities. Schneider Electric cannot update the OS on the HMIBSC due to its hardware limitations and cannot provide further security updates to our customers. |
Harmony iPC – HMIBSC IIoT Edge Box Core HMIBSCEA53D1L0T HMIBSCEA53D1L0A HMIBSCEA53D1L01 HMIBSCEA53D1LSE HMIBSCEA53D1LSU See Security Notification for specific product versions affected. |
SEVD-2024-282-02 PDF | SEVD-2024-282-02 CSAF | |
| 2024/10/08 | ​​Easergy Studio​ | CVE-2024-9002 | CWE-269: Improper Privilege Management | Easergy Studio (Versions 9.3.1 and prior) | SEVD-2024-282-03 PDF | SEVD-2024-282-03 CSAF |
| 2024/10/08 | ​EVlink Home Smart and Schneider Charge​ | CVE-2024-8070 | CWE-312: Cleartext Storage of Sensitive Information |
EVlink Home Smart (All versions prior to 2.0.6.0.0) Schneider Charge (All versions prior to 1.13.4) |
SEVD-2024-282-04 PDF | SEVD-2024-282-04 CSAF |
| 2024/10/08 | ​​Zelio Soft 2​ |
CVE-2024-8422 CVE-2024-8518 |
CWE-416: Use After Free CWE-20: Improper Input Validation |
​​Zelio Soft 2​ (Versions prior to 5.4.2.2) | SEVD-2024-282-06 PDF | SEVD-2024-282-06 CSAF |
| 2024/10/08 | System Monitor Application in Harmony and Pro-face PS5000 Legacy Industrial PCs | CVE-2024-8884 | CWE-200: Information Exposure |
System Monitor application in Harmony Industrial PC HMIBMO/HMIBMI/HMIPSO/HMIBMP/HMIBMU/HMIPSP/HMIPEP series (All versions) System Monitor application in Pro-face Industrial PC PS5000 series (All versions) |
SEVD-2024-282-07 PDF | SEVD-2024-282-07 CSAF |
| 2024/10/08 | EcoStruxure EV Charging Expert | The third-party Yocto Krogoth 2.1 Operating System is used in the EcoStruxure EV Charging Expert product. It is known to contain multiple high and critical severity vulnerabilities. | EcoStruxure EV Charging Expert (All versions prior to V6.0.0) | SEVD-2024-282-08 PDF | SEVD-2024-282-08 CSAF | |
| 2024/10/08 | Modicon M340 Controller and Communication Modules | CVE-2022-0222 | CWE-269: Improper Privilege Management |
Modicon M340 CPUs (BMXP34* versions prior to v3.50) Modicon M340 X80 Ethernet Communication modules (BMXNOE0100 (H) versions prior to SV03.50 BMXNOE0110 (H) versions prior to SV06.70 BMXNOR* versions prior to v1.7 IR24) |
SEVD-2022-102-02 (V3.1) PDF | SEVD-2022-102-02 (V3.1) CSAF |
| 2024/09/10 | ​​EcoStruxure™ Power Monitoring Expert and EcoStruxure™ Power Operation or EcoStruxure™ Power SCADA Operation with Advanced Reporting and Dashboards​ | CVE-2024-8401 | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
EcoStruxure™ Power Monitoring Expert (PME) 2021 EcoStruxure™ Power Monitoring Expert (PME) 2020 EcoStruxure™ Power Operation (EPO) 2022 EcoStruxure™ Power Operation (EPO) 2022 – Advanced Reporting and Dashboards Module EcoStruxure™ Power Operation (EPO) 2021 EcoStruxure™ Power Operation (EPO) 2021 – Advanced Reporting and Dashboards Modul EcoStruxure™ Power SCADA Operation 2020 (PSO) - Advanced Reporting and Dashboards Module See Security Notification for specific product versions affected. |
SEVD-2024-254-02 PDF | SEVD-2024-254-02 CSAF |
| 2024/09/10 | PowerLogic P5 | CVE-2024-5559 | CWE-327: Use of a Broken or Risky Cryptographic Algorithm | PowerLogic P5 (v01.500.104 and prior) | SEVD-2024-163-02 (V1.2) PDF | SEVD-2024-163-02 (V1.2) CSAF |
| 2024/09/10 | EcoStruxureâ„¢ Power Monitoring Expert | CVE-2023-28003 | CWE-613: Insufficient Session Expiration |
EcoStruxureâ„¢ Power Monitoring Expert 2022 EcoStruxureâ„¢ Power Operation (EPO) See Security Notification for specific product versions affected. |
SEVD-2023-073-01 (V3.0) PDF | SEVD-2023-073-01 (V3.0) CSAF |
| 2024/08/13 | Accutech Manager | CVE-2024-6918 | CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Accutech Manager (Versions 2.8.0.0 and prior) | SEVD-2024-226-01 PDF | SEVD-2024-226-01 CSAF |
| 2024/08/13 | Modicon Controllers M241 M251 M262 | CVE-2024-6528 | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
​​Modicon Controllers M241 / M251 ​ Modicon Controllers M258 / LMC058 Modicon Controllers M262​ See Security Notification for specific product versions affected. |
SEVD-2024-191-04 (V2.0) PDF | SEVD-2024-191-04 (V2.0) CSAF |
| 2024/08/13 | Modicon Controllers |
​CVE-2019-6841 CVE-2019-6842​ CVE-2019-6843 CVE-2019-6844​ CVE-2019-6846​ CVE-2019-6847​ |
CWE-755: Improper Handling of Exceptional Conditions​ ​ CWE-319: Cleartext Transmission of Sensitive Information |
Modicon M580 (part numbers BMEP* & BMEH*, excluding M580 CPU Safety) Modicon M580 CPU Safety (part numbers BMEP58*S & BMEH58*S) Modicon M340 Modicon BMxCRA and 140CRA modules See Security Notification for specific product versions affected. |
SEVD-2019-281-02 (V7.0) PDF | SEVD-2019-281-02 (V7.0) CSAF |
| 2024/08/13 | ​​EcoStruxure™ Machine SCADA Expert / BLUE Open Studio​ | Schneider Electric is aware of a vulnerability disclosed on AVEVA component used in ​EcoStruxure™ Machine SCADA Expert and BLUE Open Studio​ products. |
EcoStruxureâ„¢ Machine SCADA Expert (Version prior to 2020 SP3 HF1) Pro-face BLUE Open Studio (Version prior to 2020 SP3 HF1) |
SEVD-2024-226-02 PDF | SEVD-2024-226-02 CSAF | |
| 2024/08/13 | ​​​EcoStruxure™ Control Expert, EcoStruxure™ Process Expert ​and Modicon M340, M580 and M580 Safety PLCs​​​ |
CVE-2023-6408 CVE-2023-6409 CVE-2023-27975 |
CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel CWE-798: Use of Hard-coded Credentials CWE-522: Insufficiently Protected Credentials |
Modicon M340 CPU (part numbers BMXP34*) Modicon M580 CPU (part numbers BMEP* and BMEH*, excluding M580 CPU Safety) Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) Modicon MC80 (part numbers BMKC80) Modicon Momentum Unity M1E Processor (171CBU*) EcoStruxureâ„¢ Control Expert EcoStruxureâ„¢ Process Expert See Security Notification for specific product versions affected. |
SEVD-2024-044-01 (V2.0) PDF | SEVD-2024-044-01 (V2.0) CSAF |
| 2024/08/13 | ​​EcoStruxure™ OPC UA Server Expert, Modicon Communication Server​ | CVE-2023-37200 | CWE-611: Improper Restriction of XML External Entity Reference | EcoStruxure™ OPC UA Server Expert (Versions prior to SV2.01 SP2) | SEVD-2023-192-02 (V2.0) PDF | SEVD-2023-192-02 (V2.0) CSAF |
| 2024/08/13 | Modicon PLCs (Programmable Logic Controllers) and PACs (Programmable Automation Controllers) |
CVE-2023-25619 CVE-2023-25620 |
CWE-754: Improper Check for Unusual or Exceptional Conditions |
Modicon M340 CPU (part numbers BMXP34*) Modicon M580 CPU (part numbers BMEP* and BMEH*) Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) Modicon Momentum Unity M1E Processor (171CBU*) Modicon MC80 (BMKC80) Legacy Modicon Quantum (140CPU65*) Legacy Modicon Premium CPUs (TSXP57*) See Security Notification for specific product versions affected. |
SEVD-2023-101-05 (V4.0) PDF | SEVD-2023-101-05 (V4.0) CSAF |
| 2024/08/13 | EcoStruxure™ Control Expert, EcoStruxure™ Process Expert and Modicon M340, M580 and M580 CPU Safety | CVE-2022-45789 | CWE-294: Authentication Bypass by Capture-replay vulnerability. |
EcoStruxureâ„¢ Control Expert EcoStruxureâ„¢ Process Expert Modicon M340 CPU (part numbers BMXP34*) Modicon M580 CPU (part numbers BMEP* and BMEH*) Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) Modicon Momentum Unity M1E Processor (171CBU*) Modicon MC80 (BMKC80) See Security Notification for specific product versions affected. |
SEVD-2023-010-06 (V5.0) PDF | SEVD-2023-010-06 (V5.0) CSAF |
| 2024/08/13 | EcoStruxureâ„¢ Control Expert, EcoStruxureâ„¢ Process Expert and Modicon PLCs (Programmable Logic Controllers) and PACs (Programmable Automation Controllers) | CVE-2022-45788 | CWE-754: Improper Check for Unusual or Exceptional Conditions |
Modicon Controllers M241 / M251 Modicon Controllers M258 / LMC058 Modicon Controllers M262 See Security Notification for specific product versions affected. |
SEVD-2023-010-05 (V6.0) PDF | SEVD-2023-010-05 (V6.0) CSAF |
| 2024/08/13 | Modicon PAC Controllers | CVE-2021-22786 | CWE-200: Information Exposure |
Modicon M340 CPU (part numbers BMXP34*) Modicon M580 CPU (part numbers BMEP* and BMEH*) Modicon MC80 (BMKC80) Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) Modicon Momentum MDI (171CBU*) Legacy Modicon Quantum See Security Notification for specific product versions affected. |
SEVD-2022-221-04 (V5.0) PDF | SEVD-2022-221-04 (V5.0) |
| 2024/08/13 | Modicon PAC Controllers | CVE-2022-37301 | CWE-191: Integer Underflow (Wrap or Wraparound) |
Modicon M340 CPU (part numbers BMXP34*) Modicon M580 CPU (part numbers BMEP* and BMEH*) Modicon M580 CPU Safety (part numbers BMEP584040S and BMEP586040S) Legacy Modicon Quantum/Premium Modicon Momentum MDI (171CBU*) See Security Notification for specific product versions affected. |
SEVD-2022-221-02 (V5.0) PDF | SEVD-2022-221-02 (V5.0) CSAF |
| 2024/08/13 | EcoStruxureâ„¢ Control Expert, EcoStruxureâ„¢ Process Expert, and Modicon Controllers M580 and M340 | CVE-2022-37300 | CWE-640: Weak Password Recovery Mechanism for Forgotten Password |
EcoStruxureâ„¢ Control Expert Including all Unity Pro versions (former name of EcoStruxureâ„¢ Control Expert) EcoStruxureâ„¢ Process Expert, Including all versions of EcoStruxureâ„¢ Hybrid DCS (former name of EcoStruxureâ„¢ Process Expert) Modicon M340 CPU Modicon M580 CPU Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) See Security Notification for specific product versions affected. |
SEVD-2022-221-01 (V5.0) PDF | SEVD-2022-221-01 (V5.0) CSAF |
| 2024/08/13 | Modicon PAC Controllers and PLC Simulator for EcoStruxureâ„¢ Control Expert and EcoStruxureâ„¢ Process Expert |
CVE-2021-22789 CVE-2021-22790 CVE-2021-22791 CVE-2021-22792 |
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-Bounds Read CWE-476: NULL Pointer Dereference CWE-787: Out-of-Bounds Write |
Modicon M580 CPU (part numbers BMEP* and BMEH*) Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) Modicon M340 CPU (part numbers BMXP34*) Modicon MC80 (part numbers BMKC80*) Modicon Momentum Ethernet CPU (part numbers 171CBU*) PLC Simulator for EcoStruxureâ„¢ Control Expert, including all Unity Pro versions PLC Simulator for EcoStruxureâ„¢ Process Expert including all HDCS versions Modicon Quantum CPU (part numbers 140CPU*) br/>Modicon Premium CPU (part numbers TSXP5*) See Security Notification for specific product versions affected. |
SEVD-2021-222-04 (V7.0) PDF | SEVD-2021-222-04 (V7.0) CSAF |
| 2024/08/13 | EcoStruxureâ„¢ Control Expert, EcoStruxureâ„¢ Process Expert, SCADAPack RemoteConnectâ„¢ x70, and Modicon Controllers M580 and M340 |
CVE-2021-22778 CVE-2021-22779 CVE-2021-22780 CVE-2021-22781 CVE-2021-22782 CVE-2020-12525 |
CWE-311: Missing Encryption of Sensitive Data CWE-522: Insufficiently Protected Credentials |
EcoStruxureâ„¢ Control Expert EcoStruxureâ„¢ Process Expert SCADAPack RemoteConnectâ„¢ for x70 Modicon M580 CPU (part numbers BMEP* and BMEH*) Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) Modicon M340 CPU (part numbers BMXP34*) See Security Notification for specific product versions affected. |
SEVD-2021-194-01 (V9.0) PDF | SEVD-2021-194-01 (V9.0) CSAF |
| 2024/08/13 | Embedded FTP Servers for Modicon PAC Controllers |
CVE-2018-7240 CVE-2018-7241 CVE-2018-7242 |
​CWE-327: Use of a Broken or Risky Cryptographic Algorithm ​ CWE-522: Insufficiently Protected Credentials ​CWE-798: Use of Hard-coded Credentials |
Modicon M340 Modicon M580 Modicon M580 CPU Safety Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) Modicon BMxCRA and 140CRA modules See Security Notification for specific product versions affected. |
SEVD-2018-081-01 (V9.0) PDF | SEVD-2018-081-01 (V9.0) |
| 2024/07/09 | ​​Wiser Home Controller WHC-5918A​ | ​CVE-2024-6407​ | CWE-200: Information Exposure  | Wiser Home Controller WHC-5918A | SEVD-2024-191-01 PDF | SEVD-2024-191-01 CSAF |
| 2024/07/09 | ​​​EcoStruxure™ Foxboro DCS Core Control Services​​ |
CVE-2024-5679​ ​​CVE-2024-5680 CVE-2024-5681 |
CWE-20: Improper Input Validation CWE-129: Improper Validation of Array Index  CWE-787: Out-of-Bounds Write  |
EcoStruxureâ„¢ Foxboro DCS Core Control Services (Versions 9.8 and prior) | SEVD-2024-191-02 PDF | SEVD-2024-191-02 CSAF |
| 2024/07/09 | ​​EcoStruxure™ Foxboro SCADA FoxRTU Station​ | CVE-2024-2602 | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | FoxRTU Station (All versions prior to v9.3.0) | SEVD-2024-191-03 PDF | SEVD-2024-191-03 CSAF |
| 2024/07/09 | Sage RTU |
CVE-2024-5560 CVE-2024-37036 CVE-2024-37037 CVE-2024-37038 CVE-2024-37039 CVE-2024-37040 |
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)  CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) CWE-125: Out-of-bounds Read CWE-252: Unchecked Return Value CWE-276: Incorrect Default Permissions CWE-787: Out-of-bounds Write |
Sage 1410 (Versions C3414-500-S02K5_P8 and prior) Sage 1430 (Versions C3414-500-S02K5_P8 and prior) Sage 1450 (Versions C3414-500-S02K5_P8 and prior) Sage 2400 (Versions C3414-500-S02K5_P8 and prior) Sage 3030 Magnum (Versions C3414-500-S02K5_P8 and prior) Sage 4400 (Versions C3414-500-S02K5_P8 and prior) |
SEVD-2024-163-05 (V2.0) PDF | SEVD-2024-163-05 (V2.0) CSAF |
| 2024/06/11 | Modicon M340 and BMXNOE0100 and BMXNOE0110 | CVE-2024-5056 | CWE-552: Files or Directories Accessible to External Parties |
Modicon M340 (All Versions) Network module, Modicon M340, Modbus/TCP BMXNOE0100 (All Versions) Network module, Modicon M340, Ethernet TCP/IP BMXNOE0110 (All Versions) |
SEVD-2024-163-01 PDF | SEVD-2024-163-01 CSAF |
| 2024/06/11 | EVlink Home Smart | CVE-2024-5313 | CWE-668: Exposure of the Resource Wrong Sphere | EVlink Home Smart (v2.0.4.1.2_131, v2.0.3.8.2_128) | SEVD-2024-163-03 PDF | SEVD-2024-163-03 CSAF |
| 2024/06/11 | ​​SpaceLogic AS-P​ and AS-B Automation Servers |
CVE-2024-5558 CVE-2024-5557 |
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE-532: Insertion of Sensitive Information into Log File |
SpaceLogic AS-P (v5.0.3 and prior) SpaceLogic AS-B (v5.0.3 and prior) |
SEVD-2024-163-04 PDF | SEVD-2024-163-04 CSAF |
| 2024/06/11 | CODESYS Runtime Vulnerabilities | Schneider Electric is aware of ​multiple vulnerabilities​ disclosed on ​CODESYS runtime system V3 communication server​. |
Easy Harmony HMIET6/HMIFT6 Easy Modicon M310 HMISCU Controller Harmony (Formerly Magelis) HMIGK/HMIGTO/HMIGTU/HMIGTUX/HMISTU series, iPC series with Vijeo Designer runtime Magelis HMIGXU, XBT series Modicon Controller LMC058 Modicon Controller LMC078 Modicon Controller M218 Modicon Controller M241 Modicon Controller M251 Modicon Controller M258 Modicon Controller M262 PacDrive 3 Controllers: LMC Eco/Pro/Pro2 SoftSPS embedded in EcoStruxureâ„¢ Machine Expert Vijeo Designer embedded in EcoStruxureâ„¢ Machine Expert See Security Notification for specific product versions affected. |
SEVD-2023-192-04 (V6.0) PDF | SEVD-2023-192-04 (V6.0) CSAF | |
| 2024/06/11 | Easy UPS Online Monitoring Software |
CVE-2023-29411 CVE-2023-29412 CVE-2023-29413 |
CWE-306: Missing Authentication for Critical Function CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-306: Missing Authentication for Critical Function |
APC Easy UPS Online Monitoring Software (v2.5-GA-01-22320 and prior (Windows 10, 11 Windows Server 2016, 2019, 2022)) Schneider Electric Easy UPS Online Monitoring Software* (v2.5-GS-01-22320 and prior (Windows 10, 11 Windows Server 2016, 2019, 2022)) *Known as Schneider SP Series UPS Monitoring Software in China. |
SEVD-2023-101-04 (V4.0) PDF | SEVD-2023-101-04 (V4.0) CSAF |
| 2024/04/09 | ​Easergy Studio​ | CVE-2024-2747 | CWE-428: Unquoted search path or element vulnerability | Easergy Studio (Easergy Studio v9.3.3 and prior) | SEVD-2024-​100-01 PDF | SEVD-2024-​100-01 CSAF |
| 2024/04/09 | Trioâ„¢ Licensed and License-free Data Radios |
CVE-2023-5629​ CVE-2023-5630 |
CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability CWE-494: Download of Code Without Integrity Check vulnerability |
Trio Q-Series Ethernet Data Radio Trio E-Series Ethernet Data Radio Trio J-Series Ethernet Data Radio See Security Notification for specific product versions affected. |
SEVD-2023-346-01 (V2.0) PDF | SEVD-2023-346-01 (V2.0) CSAF |
| 2024/04/06 | Galaxy VS and Galaxy VL​ | CVE-2023-6032​ | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability |
Galaxy VS (v12.21) Galaxy VL (v6.82) |
SEVD-2023-318-03 (V2.0) PDF | SEVD-2023-318-03 (V2.0) CSAF |
| 2024/03/12 | ISaGRAF Vulnerabilities in IEC 61131-3 Programming and Engineering Tools |
CVE-2020-25176 CVE-2020-25178 CVE-2020-25182 CVE-2020-25184 CVE-2020-25180 |
Schneider Electric is aware of multiple vulnerabilities in ISaGRAF Workbench and ISaGRAF Runtime products. |
Easergy T300 Easergy C5 MiCOM C264 PACiS GTW EPAS GTW SCADAPack 300E RTU SCADAPack 53xE RTU SCADAPack Workbench SCD2200 Firmware for CP-3/MC-31 SAGE RTU (C3414 CPU, C3413 CPU, C3412 CPU) Talus T4e Mk 1 (A18.xx Firmware (all)) T4e Mk II and T4c (A19.08 Firmware and prior) See Security Notification for specific product versions affected. |
SEVD-2021-159-04 (V7.0) PDF | SEVD-2021-159-04 (V7.0) CSAF |
| 2024/03/12 | ​Easergy T200 |
CVE-2024-2050 CVE-2024-2051 CVE-2024-2052 |
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-307: Improper Restriction of Excessive Authentication Attempts CWE-552: Files or Directories Accessible to External Parties  |
Easergy T200 Models: T200I, T200E, T200P, T200S, T200H (Modbus) (Version SC2-04MOD-07000104 and prior) Easergy T200 Models: T200I, T200E, T200P, T200S, T200H (IEC104) (Version SC2-04IEC-07000104 and prior) Easergy T200 Models: T200I, T200E, T200P, T200S, T200H (DNP3) (Version SC2-04DNP-07000104 and prior) |
SEVD-2024-072-01 PDF | SEVD-2024-072-01 CSAF |
| 2024/03/12 | EcoStruxure Power Design - Ecodial | CVE-2024-2229 | CWE-502: Deserialization of Untrusted Data | EcoStruxure Power Design - Ecodial (Ecodial NL All Versions, Ecodial INT All Versions, Ecodial FR All Versions) | SEVD-2024-072-02 PDF | SEVD-2024-072-02 CSAF |
| 2024/02/13 | ​​EcoStruxure™ Control Expert, EcoStruxure™ Process Expert ​and Modicon M340, M580 and M580 Safety PLCs |
CVE-2023-6408 CVE-2023-6409 CVE-2023-27975 |
CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel CWE-798: Use of Hard-coded Credentials CWE-522: Insufficiently Protected Credentials |
Modicon M340 CPU (part numbers BMXP34*) Modicon M580 CPU (part numbers BMEP* and BMEH*, excluding M580 CPU Safety) Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) EcoStruxureâ„¢ Control Expert EcoStruxureâ„¢ Process Expert See Security Notification for specific product versions affected. |
SEVD-2024-044-01 PDF | SEVD-2024-044-01 CSAF |
| 2024/02/13 | ​​Harmony Relay NFC​ | ​CVE-2024-0568​ | CWE-287: Improper Authentication |
Harmony Control Relay RMNF22TB30 (All versions) Harmony Timer Relay RENF22R2MMW (All versions) |
SEVD-2024-044-02 PDF | SEVD-2024-044-02 CSAF |
| 2024/02/13 | ​​EcoStruxure IT Gateway​ | CVE-2024-0865 | CWE-798: Use of hard-coded credentials | EcoStruxure IT Gateway (1.20.x and prior) | SEVD-2024-044-03 PDF | SEVD-2024-044-03 CSAF |
| 2024/02/01 | Sustainability Business Division of Schneider Electric Responds to Cybersecurity Incident | N/A | On January 17th, 2024, a ransomware incident affected Schneider Electric Sustainability Business division. | N/A | Cybersecurity Incident Announcement | |
| 2024/01/09 | ​​Easergy Studio​ | CVE-2023-7032 | CWE-502: Deserialization of untrusted data | Easergy Studio (Versions prior to v9.3.50) | SEVD-2024-009-02 PDF | SEVD-2024-009-02 CSAF |
| 2024/01/09 | EcoStruxureâ„¢ Control Expert |
CVE-2023-1548 CVE-2023-27976 |
CWE-668: Exposure of Resource to Wrong Sphere CWE-269: Improper Privilege Management |
EcoStruxureâ„¢ Control Expert (Versions prior to V16.0) | SEVD-2023-101-03 (V2.0) PDF | SEVD-2023-101-03 (V2.0) CSAF |
| 2024/01/09 | CODESYS Runtime Vulnerabilities |
CVE-2022-4224 CVE-2023-28355 CVE-2022-4046 |
CWE-668: Exposure of Resource to Wrong Sphere |
HMISCU Controller Modicon Controller M241 Modicon Controller M251 Modicon Controller M262 Modicon Controller M258 Modicon Controller LMC058 Modicon Controller M218 PacDrive 3 Controllers: LMC Eco/Pro/Pro2 PacDrive Controller LMC078 See Security Notification for specific product versions affected. |
SEVD-2023-101-01 (V2.0) PDF | SEVD-2023-101-01 (V2.0) CSAF |
| 2024/01/09 | Harmony (formerly known as Magelis) HMI Panels | CVE-2019-6833 | CWE-754 – Improper Check for Unusual or Exceptional Conditions |
Harmony/Magelis HMIGK series Harmony/Magelis HMIGTO series Harmony/Magelis HMISTO series (End of Commercialization) Harmony/Magelis) HMIGTU series Harmony/Magelis HMIGTUX series Harmony/Magelis HMIGXO series (End of Commercialization) Harmony/Magelis HMIGXU series Harmony/Magelis HMISCU series Harmony/Magelis HMISTU series Harmony/Magelis XBTGC series Harmony/Magelis XBTGH series Harmony/Magelis XBTGT series (End of Commercialization) See Security Notification for specific product versions affected. |
SEVD-2019-225-01 (V3.0) PDF | SEVD-2019-225-01 (V3.0) CSAF |
| 2023/12/12 | ProLeiT Plant iT/Brewmaxx​ | Schneider Electric is aware of ​a vulnerability​ in Redis open-source database, affecting its ​Plant iT​ product. | Plant iT/Brewmaxx (v9.60 and above) | SEVD-2023-346-02 PDF | SEVD-2023-346-02 CSAF | |
| 2023/12/12 | ​​Easy UPS Online Monitoring Software​ | CVE-2023-6407 | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability | Easy UPS Online Monitoring Software (2.6-GA-01-23116 and prior (Windows 10, 11, Windows Server 2016, 2019, 2022)) | SEVD-2023-346-03 PDF | SEVD-2023-346-03 CSAF |
| 2023/12/12 | ​​PowerLogic ION8650, PowerLogic ION8800​ |
CVE-2023-5984 ​ CVE-2023-5985 |
CWE-494 : Download of Code Without Integrity Check vulnerability CWE-79: Improper Neutralization of Input During Web Page Generation vulnerability |
ION8650 (all versions) ION8800 (all versions) |
SEVD-2023-318-01 (V1.1) PDF | SEVD-2023-318-01 (V1.1) CSAF |
| 2023/11/14 | ​​EcoStruxure Power Monitoring Expert and EcoStruxure™ Power Operation with Advanced Reporting and Dashboards Module |
CVE-2023-5986 CVE-2023-5987 |
CWE-601 URL Redirection to Untrusted Site vulnerability CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability |
EcoStruxure™ Power Monitoring Expert (PME) (EcoStruxure™ Power Monitoring Expert (PME) 2021 prior to CU2, EcoStruxure™ Power Monitoring Expert (PME) 2020 prior to CU3) EcoStruxure™ Power Operation (EPO) – Advanced Reporting and Dashboards Module (Advanced Reporting and Dashboards Module 2021 prior to CU2 for EcoStruxure™ Power Operation 2021) EcoStruxure™ Power SCADA Operation (PSO) - Advanced Reporting and Dashboards Module (Advanced Reporting and Dashboards Module 2020 prior to CU3 EcoStruxure™ Power SCADA Operation (PSO) 2020 or 2020 R2) |
SEVD-2023-318-02 PDF | SEVD-2023-318-02 CSAF |
| 2023/10/10 | SpaceLogic C-Bus Toolkit |
CVE-2023-5402 CVE-2023-5399 |
CWE-269: Improper Privilege Management vulnerability CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability |
SpaceLogic C-Bus Toolkit (v1.16.2.2 and prior) | SEVD-2023-283-01 PDF | SEVD-2023-283-01 CSAF |
| 2023/10/10 |
EcoStruxure Power Monitoring Expert and EcoStruxureâ„¢ Power Operation with Advanced Reports |
CVE-2023-5391 | CWE-502: Deserialization of untrusted data vulnerability |
EcoStruxure™ Power Monitoring Expert (PME) (All versions – prior to application of Hotfix-145271 ) EcoStruxure™ Power Operation with Advanced Reports (All versions – prior to application of Hotfix-145271) EcoStruxure™ Power SCADA Operation with Advanced Reports (All versions – prior to application of Hotfix-145271 ) Note: Power SCADA Operation and Power Operation without Advanced Reports are not affected. |
SEVD-2023-283-02 PDF | SEVD-2023-283-02 CSAF |
| 2023/09/12 | ​​​IGSS (Interactive Graphical SCADA System)​​ | CVE-2023-4516​ | CWE-306: Missing Authentication for Critical Function vulnerability. |
IGSS Update Service (IGSSupdateservice.exe) (v16.0.0.23211 and prior) |
SEVD-2023-255-01 PDF | SEVD-2023-255-01 CSAF |
| 2023/08/08 | ​​​Pro-face GP-Pro EX​​ | CVE-2023-3953 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability. |
GP-Pro EX WinGP for iPC (v4.09.450 and prior) GP-Pro EX WinGP for PC/AT (v4.09.450 and prior) |
SEVD-2023-220-01 PDF | SEVD-2023-220-01 CSAF |
| 2023/07/11 | ​StruxureWare Data Center Expert |
CVE-2023-37196​ CVE-2023-37197​ CVE-2023-37198 CVE-2023-37199 |
CWE-89: Improper Neutralization of Special Elements CWE-94: Improper Control of Generation of Code |
StruxureWare Data Center Expert (now known as EcoStruxureâ„¢ IT Data Center Expert) (v7.9.3 and earlier) | SEVD-2023-192-01 PDF | SEVD-2023-192-01 CSAF |
| 2023/07/11 | ​​Accutech Manager​ | CVE-2023-29414 | CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow) | Accutech Manager (Version 2.7 and prior) | SEVD-2023-192-03 PDF | SEVD-2023-192-03 CSAF |
| 2023/06/13 | ​EcoStruxure™ Operator Terminal Expert and Pro-face BLUE | CVE-2023-1049 | CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability |
EcoStruxureâ„¢ Operator Terminal Expert (v3.3 SP1 and prior) Pro-face BLUE (v3.3 SP1 and prior) |
SEVD-2023-164-01 PDF | SEVD-2023-164-01 CSAF |
| 2023/06/13 | ​​​IGSS (Interactive Graphical SCADA System)​​ | CVE-2023-3001 | CWE-502: Deserialization of Untrusted Data | IGSS Dashboard (DashBoard.exe) (v16.0.0.23130 and prior) | SEVD-2023-164-02 PDF | SEVD-2023-164-02 CSAF |
| 2023/06/13 | ​​Foxboro SCADA​ | Schneider Electric is aware of ​a vulnerability​ in the AVEVA™ InTouch component which is included as part of Foxboro SCADA product. | Foxboro SCADA (All versions) | SEVD-2023-164-03 PDF | SEVD-2023-164-03 CSAF | |
| 2023/06/13 | EcoStruxureâ„¢ Foxboro DCS Control Core Services |
CVE-2023-2569 CVE-2023-2570 |
CWE-787: Out-of-Bounds Write CWE-129: Improper Validation of Array Index |
EcoStruxureâ„¢ Foxboro DCS Control Core Services (All versions prior to patch HF98577958) | SEVD-2023-164-04 PDF | SEVD-2023-164-04 CSAF |
| 2023/06/13 | PowerLogic ION7400 / PM8000 / ION9000 Power Meters | CVE-2022-46680 | CWE-319: Cleartext transmission of sensitive information |
PowerLogic ION9000, PowerLogic ION7400 PowerLogic PM8000 (Prior to 4.0.0) PowerLogic ION8650 (All Versions) PowerLogic ION8800 (All Versions) Legacy ION products (All Versions) |
SEVD-2023-129-03 PDF (V1.1) | SEVD-2023-129-03 CSAF (V1.1) |
| 2023/05/09 | OPC Factory Server | CVE-2023-2161 | CWE-611: Improper Restriction of XML External Entity Reference | OPC Factory Server (OFS) (Version prior to V3.63SP2) | SEVD-2023-129-01 PDF | SEVD-2023-129-01 CSAF |
| 2023/05/09 |
EcoStruxureâ„¢ Power Operation EcoStruxureâ„¢ Power SCADA Operation |
Schneider Electric is aware of ​multiple vulnerabilities​ in the AVEVA™ Plant SCADA product which is included as part of ​​EcoStruxure™ Power Operation, EcoStruxure™ Power SCADA Operation​ ​products. |
EcoStruxureâ„¢ Power Operation (Version 2022, Versions 2021 CU3 and prior) EcoStruxureâ„¢ Power SCADA Operation (Versions 2020 R2 and prior) |
SEVD-2023-129-02 PDF | SEVD-2023-129-02 CSAF | |
| 2023/05/09 | Power SCADA Anywhere | Schneider Electric is aware of ​multiple vulnerabilities​ in the AVEVA™ Plant SCADA Access Anywhere which is an optional component of the EcoStruxure™ Power Operation or EcoStruxure™ Power SCADA Operation products. | EcoStruxure™ Power Operation or EcoStruxure™ Power SCADA Operation configured with Power SCADA Anywhere (Power SCADA Anywhere Versions 1.1 and 1.2) | SEVD-2023-129-04 PDF | SEVD-2023-129-04 CSAF | |
| 2023/05/09 | NicheStack TCP/IP Vulnerabilities (INFRA:HALT) in Lexium ILE, ILA, ILS, and Communication Option Boards for Altivar and Lexium32 drives |
CVE-2021-31400 CVE-2021-31401 CVE-2020-35683 CVE-2020-35684 CVE-2020-35685 |
Schneider Electric is aware of multiple vulnerabilities in HCC Embedded’s NicheStack TCP/IP third party component, which is integrated into Schneider Electric’s Lexium ILE, ILA, ILS, Altivar Profinet Communication Module (VW3A3627), Altivar and Lexium Ethernet TCP/IP Communication Module (VW3A3616), and Altivar Profinet - Communication Card (VW3A3327) products. | Lexium ILE ILA ILS firmware version (V01.110 and prior) | SEVD-2021-217-01 (V5.0) PDF | SEVD-2021-217-01 (V5.0) CSAF |
| 2023/04/26 | ​​​KNX Publicly Available Exploit​​ | Schneider Electric is aware of publicly available exploit affecting KNX home and building automation systems. The products used in these systems may come from a variety of different vendors, including Schneider Electric spaceLYnk, Wiser for KNX (formerly homeLYnk), and FellerLYnk products. |
spaceLYnk Wiser for KNX (formerly homeLYnk) FellerLYnk |
SESB-2023-01 PDF | ||
| 2023/04/11 | Conextâ„¢ Gateway/ InsightHome and InsightFacility | CVE-2023-29410 | CWE-20: Improper Input Validation |
InsightHome (v1.16 Build 004 and prior) InsightFacility (v1.16 Build 004 and prior) Conextâ„¢ Gateway (Discontinued in 2019) (v1.16 Build 004 and prior) |
SEVD-2023-101-02 PDF | SEVD-2023-101-02 CSAF |
| 2023/04/11 | Easergy Builder | CVE-2022-34755 | CWE-427 - Uncontrolled Search Path Element | Easergy Builder installer (Version 1.7.23 and older) | SEVD-2023-101-06 PDF | SEVD-2023-101-06 CSAF |
| 2023/04/11 | SCADAPack Workbench | CVE-2022-0221 | CWE-611: Improper Restriction of XML External Entity Reference | SCADAPack Workbench (Version 6.6.8a and prior) | SEVD-2022-087-01 (V2.0) PDF | SEVD-2022-087-01 (V2.0) CASF |
| 2023/04/11 | CODESYS V3 Runtime, Development System, and Gateway Vulnerabilities |
CVE-2021-33485 CVE-2021-29241 CVE-2021-29240 CVE-2021-21863 CVE-2021-21864 CVE-2021-21865 CVE-2021-21866 CVE-2021-21867 CVE-2021-21868 CVE-2021-21869 |
Multiple Vulnerabilities |
M241/M251 (All Versions) EcoStruxure Machine Expert (All Versions) Harmony/Magelis HMISTU Series, HMIGTO Series, HMIGTU Series, HMIGTUX Series, HMIGK Series, HMISCU Series, Vijeo Designer (V6.2 SP11 Hotfix 3 and prior) Eurotherm E+PLC100 (All Versions) Eurotherm E+PLC400 (V1.3.0.1 and prior) Eurotherm E+PLC tools (V1.3.0.1 and prior) Easy Harmony ET6 HMIET Series (Vijeo Designer Basic V1.2.1 and later) Easy Harmony GXU HMIGXU Series (Vijeo Designer Basic V1.2.1 and later) |
SEVD-2022-011-06 (V7.0) PDF | SEVD-2022-011-06 (V7.0) CSAF |
| 2023/03/14 | ​​PowerLogic™ HDPM6000​ | CVE-2023-28004 | CWE-129: Improper Validation of an Array Index | PowerLogic™ HDPM6000 (Version 0.58.6 and prior) | SEVD-2023-073-02 PDF | SEVD-2023-073-02 CSAF |
| 2023/03/14 | ​​​IGSS (Interactive Graphical SCADA System)​ |
CVE-2023-27977 CVE-2023-27978 CVE-2023-27979 CVE-2023-27980 CVE-2023-27981 CVE-2023-27982 CVE-2023-27983 CVE-2023-27984 |
Multiple Vulnerabilities |
IGSS Data Server (IGSSdataServer.exe) (V16.0.0.23040 and prior) IGSS Dashboard (DashBoard.exe) (V16.0.0.23040 and prior) Custom Reports (RMS16.dll) (V16.0.0.23040 and prior) |
SEVD-2023-073-04 PDF | SEVD-2023-073-04 CSAF |
| 2023/03/14 | EcoStruxure™ Geo SCADA Expert​ |
CVE-2023-22610​ CVE-2023-22611 |
Notification Updated: Adjustment of the deprecated CWE of the ​CVE-2023-22610.​ |
EcoStruxureâ„¢ Geo SCADA Expert 2019, EcoStruxureâ„¢ Geo SCADA Expert 2020, EcoStruxureâ„¢ Geo SCADA Expert 2021 (All versions prior to October 2022) ClearSCADA (All Versions) |
SEVD-2023-010-02 (V1.1) PDF | SEVD-2023-010-02 (V1.1) CSAF |
| 2023/03/14 | IGSS (Interactive Graphical SCADA System) |
CVE-2022-32522 CVE-2022-32523 CVE-2022-32524 CVE-2022-32525 CVE-2022-32526 CVE-2022-32527 CVE-2022-32528 CVE-2022-32529 |
Notification Updated: The CVE-2022-32528 description details have been clarified. | IGSS Data Server (IGSSdataServer.exe) Versions prior to Version 15.0.0.22139 | SEVD-2022-165-01 (V2.1) PDF | SEVD-2022-165-01 (V2.1) CSAF |
| 2023/02/14 | PLC Simulator on EcoStruxureâ„¢ Control Expert and Process Expert |
CVE-2020-7559 CVE-2020-7538 CVE-2020-28211 CVE-2020-28212 CVE-2020-28213 |
CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-754: Improper Check for Unusual or Exceptional Conditions CWE-863: Incorrect Authorization A CWE-307: Improper Restriction of Excessive Authentication Attempts A CWE-494: Download of Code Without Integrity Check |
PLC Simulator for EcoStruxureâ„¢ Control Expert, all versions PLC Simulator for Unity Pro (former name of EcoStruxureâ„¢ Control Expert), all versions PLC Simulator for EcoStruxureâ„¢ Process Expert, all versions |
SEVD-2020-315-07 (V4.0) PDF | SEVD-2020-315-07 (V4.0) CSAF |
| 2023/02/14 | ​​EcoStruxure™ Geo SCADA Expert | CVE-2023-0595 | CWE-117: Improper Output Neutralization for Logs vulnerability. |
EcoStruxureâ„¢ Geo SCADA Expert 2019, EcoStruxureâ„¢ Geo SCADA Expert 2020, EcoStruxureâ„¢ Geo SCADA Expert 2021 (All Versions prior to October 2022) ClearSCADA (All Versions) |
SEVD-2023-045-01 PDF | SEVD-2023-045-01 CSAF |
| 2023/02/14 | ​​StruxureWare Data Center Expert​ |
​CVE-2023-25547 ​CVE-2023-25548 CVE-2023-25549​ CVE-2023-25550​ ​CVE-2023-25551 CVE-2023-25552 CVE-2023-25553 CVE-2023-25555 |
Multiple Vulnerabilities | StruxureWare Data Center Expert (7.9.2 and earlier) | SEVD-2023-045-02 PDF | SEVD-2023-045-02 CSAF |
| 2023/02/14 | ​​​Merten KNX Devices | CVE-2023-25556 | CWE-287: Improper Authentication vulnerability. |
Merten INSTABUS Tastermodul 1fach System M 625199 (Program Version 1.0) Merten INSTABUS Tastermodul 2fach System M 625299 (Program Version 1.0) Merten Tasterschnittstelle 4fach plus 670804 (Program Version 1.0 & 1.2) Merten KNX ARGUS 180/2,20M UP SYSTEM 631725 (Program Version 1.0) Merten Jalousie-/Schaltaktor REG-K/8x/16x/10 m. HB 649908 (Product discontinued) (Program Version 1.0) Merten KNX Uni-Dimmaktor LL REG-K/2x230/300 W MEG6710-0002 (Product discontinued) (Program Version 1.0 & 1.1) Merten KNX Schaltakt.2x6A UP m.2 Eing. MEG6003-0002 (Product discontinued) (Prgram Version 0.1) |
SEVD-2023-045-03 PDF | SEVD-2023-045-03 CSAF |
| 2023/02/14 | NetBotz 4 -355/450/455/550/570 |
CVE-2022-43376 CVE-2022-43377 CVE-2022-43378 |
Multiple Vulnerabilities | NetBotz 4 -355/450/455/550/570 (V4.7.0 and earlier) | SEVD-2022-312-01 (V2.0) PDF | SEVD-2022-312-01 (V2.0) CSAF |
| 2023/02/14 | Web Server on Modicon M340, Legacy Offers Modicon Quantum and Premium and Associated Communication Modules |
CVE-2021-22785 CVE-2021-22788 CVE-2021-22787 |
Notification Updated: A remediation is available for Modicon M340 Ethernet Communication Modules BMXNOE0100 (H) and BMXNOE0110 (H). |
Modicon M340 CPUs (BMXP34* versions prior to V3.40) Modicon M340 X80 Ethernet Communication modules BMXNOC0401 prior to V2.11, BMXNOR0200H RTU prior to V1.70 IR24) Modicon Premium Processors with Integrated Ethernet COPRO (TSXP574634 all versions, TSXP575634 all versions, TSXP576634 all versions) Modicon Quantum Processors with Integrated Ethernet COPRO (140CPU65xxxxx all versions) Modicon Quantum Communication Modules (140NOE771x1 all versions, 140NOC78x00 all versions, 140NOC77101 all versions) Modicon Premium Communication Modules (TSXETY4103 all versions, TSXETY5103 all versions) |
SEVD-2021-257-02 (V3.0) PDF | SEVD-2021-257-02 (V3.0) CSAF |
| 2023/02/14 | Modicon Web Server |
CVE-2020-7562 CVE-2020-7563 CVE-2020-7564 |
Notification Updated: A remediation is available on Modicon M340 Ethernet Communication Modules BMXNOE0100 (H) and BMXNOE0110 (H). | Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) | SEVD-2020-315-01 (V4.0) PDF | SEVD-2020-315-01 (V4.0) CSAF |
| 2023/01/11 | Easy UPS Online Monitoring Software |
CVE-2022-42970 CVE-2022-42971 CVE-2022-42973 CVE-2022-42972​ |
Notification Updated: The Easy UPS Online Monitoring Software has been separated by the APC and Schneider Electric brand names. |
APC Easy UPS Online Monitoring Software (V2.5-GA and prior (Windows 7, 10, 11 Windows Server 2016, 2019, 2022) (V2.5-GA-01-22261 and prior (Windows 11, Windows Server 2019, 2022)) Schneider Electric Easy UPS Online Monitoring Software (V2.5-GA and prior (Windows 7, 10, 11 Windows Server 2016, 2019, 2022) (V2.5-GA-01-22261 and prior (Windows 11, Windows Server 2019, 2022)) |
SEVD-2022-347-01 (V2.0) PDF | SEVD-2022-347-01 (V2.0) CSAF |
| 2023/01/10 | ​​EcoStruxure™ Machine Expert – HVAC (formerly SoMachine - HVAC)​ | CVE-2022-2988 | CWE-787: Out-of-bounds Write vulnerability. |
SoMachine - HVAC (Version 2.1.0 and prior) EcoStruxure™ Machine Expert – HVAC (Version 1.4.0 and prior) |
SEVD-2023-010-01 PDF | SEVD-2023-010-01 CSAF |
| 2023/01/10 | ​​EcoStruxure™ Power Operation 2021, EcoStruxure™ Power SCADA Operation 2020 and EcoStruxure™ Power SCADA Operation 2020 R2​ | CVE-2022-38138 | CWE-824: Access of uninitialized Pointer vulnerability. |
EcoStruxureâ„¢ Power SCADA Operation 2020 (Version 2020 and 2020 CU1) EcoStruxureâ„¢ Power SCADA Operation 2020 R2 (Version 2020 R2 and 2020 R2 CU1, 2020 R2 CU2, and 2020 R2 CU3) EcoStruxureâ„¢ Power Operation 2021 (Version 2021, 2021 CU1, 2021 CU2 and 2021 CU3) Power SCADA Operation (Version 9.0) PowerSCADA Expert (Version 8.x) |
SEVD-2023-010-03 PDF | SEVD-2023-010-03 CSAF |
| 2023/01/10 | ​​EcoStruxure™ Power SCADA Anywhere​ | CVE-2022-1467 | CWE-668: Exposure of Resource to Wrong Sphere vulnerability. | EcoStruxure™ Power SCADA Anywhere (Versions 2022, 2021, 2020 R2, 2020, 9.0, 8.x) | SEVD-2023-010-04 PDF | SEVD-2023-010-04 CSAF |
| 2022/12/13 | ​Saitel DR RTU | CVE-2020-6996​ | CWE-787: Out-of-bounds write vulnerability. | SAITEL DR RTU (Firmware from Baseline_11.06.01 to Baseline_11.06.14) | SEVD-2022-347-02 PDF | SEVD-2022-347-02 CSAF |
| 2022/12/13 | ​​​EcoStruxure Power Commission​ | CVE-2022-4062 | CWE-285: Improper Authorization vulnerability. | EcoStruxure Power Commission (V2.25 and prior versions) | SEVD-2022-347-03 PDF | SEVD-2022-347-03 CSAF |
| 2022/11/22 | APC Smart-UPS SMT, SMC, SMX, SCL, SRC, XU, XP, CSH2, SURTD, SMTL, SRT, and select SRTL Series |
CVE-2022-22805 CVE-2022-22806 CVE-2022-0715 |
Notification Updated: In the Affected Products and Versions section, new series IDs were added to SMT, SMC, and SMX. Added CSH2 to the available remediations sections. Added mitigations for products with the specified IDs that have been phased out and will not have firmware remediation. | APC Smart-UPS Family and SmartConnect Family (see Security Notification for affected series and versions) | SEVD-2022-067-02 (V7.0) PDF | SEVD-2022-067-02 (V7.0) CSAF |
| 2022/11/08 | homeLYnk (Wiser For KNX) and spaceLYnk |
CVE-2021-22732 CVE-2021-22733 CVE-2021-22734 CVE-2021-22735 CVE-2021-22736 CVE-2021-22737 CVE-2021-22738 CVE-2021-22739 CVE-2021-22740 |
Notification Updated: The CWE for CVE-2021-22737 has been updated. No additional action is required for customers who have already followed the remediation instructions provided. |
homeLYnk (Wiser For KNX) and spaceLYnk (V2.60 and prior) | SEVD-2021-130-04 (V2.0) PDF | SEVD-2021-130-04 (V2.0) CSAF |
| 2022/11/08 | EcoStruxure EV Charging Expert |
CVE-2022-22807 CVE-2022-22808 |
CWE-352: Cross-Site Request Forgery CWE-1021 Improper Restriction of Rendered UI Layers or Frames |
EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System) (All Versions prior to SP8 (Version 01)V4.0.0.13) | SEVD-2022-039-02 (V2.0) PDF | SEVD-2022-039-02 (V2.0) CSAF |
| 2022/11/08 | C-Bus Toolkit and C-Gate Server |
CVE-2021-22716 CVE-2021-22717 CVE-2021-22718 CVE-2021-22719 CVE-2021-22720 CVE-2021-22748 CVE-2021-22796 |
Notification Updated: The CWE for CVE-2021-22716 has been updated. No additional action is required for customers who have already followed the remediation instructions provided. |
C-Bus Toolkit V1.15.9 and prior C-Gate Server 2.11.7 and prior |
SEVD-2021-103-01 (V4.0) PDF | SEVD-2021-103-01 (V4.0) CSAF |
| 2022/10/14 | EcoStruxureâ„¢ Power Operation 2021, EcoStruxureâ„¢ Power SCADA Operation 2020 and EcoStruxureâ„¢ Power SCADA Operation 2020 R2 | CVE-2022-22727 | Notification Updated: There is an update to the EcoStruxureâ„¢ Power SCADA Operation 2020 remediation advising customers to move to 2020 R2 instead of 2020 CU2. |
EcoStruxureâ„¢ Power SCADA Operation 2020 Version 2020 and 2020 CU1 (Version 2020 and 2020 CU1) EcoStruxureâ„¢ Power SCADA Operation 2020 R2 (Version 2020 R2 Prior to CU1) EcoStruxureâ„¢ Power Operation 2021 (Version 2021, 2021 CU1 and 2021 CU2) |
SEVD-2022-284-04 (V1.1) PDF | SEVD-2022-284-04 (V1.1) CSAF |
| 2022/10/11 | EcoStruxureâ„¢ Operator Terminal Expert and Pro-face BLUE |
CVE-2022-41666 CVE 2022-41667 CVE-2022-41668 CVE-2022-41669 CVE-2022-41670 CVE-2022-41671 |
Multiple Vulnerabilities |
EcoStruxureâ„¢ Operator Terminal Expert (V3.3 Hotfix 1 or prior) Pro-face BLUE (V3.3 Hotfix1 or prior) |
SEVD-2022-284-01 PDF | SEVD-2022-284-01 CSAF |
| 2022/10/11 | EcoStruxureâ„¢ Panel Server Box (PAS900) |
CVE-2022-30790 CVE-2022-30552 |
Multiple Vulnerabilities | EcoStruxureâ„¢Panel Server Box (PAS900) (V3.1.16 and prior) | SEVD-2022-284-02 PDF | SEVD-2022-284-02 CSAF |
| 2022/10/11 | ISaGRAF Workbench for SAGE RTU |
CVE-2022-2463 CVE-2022-2464 CVE-2022-2465 |
Multiple Vulnerabilities |
SAGE RTU C3414 CPU (Current) with optional ISaGRAF software versions prior to 6.6.10 (All firmware versions prior to C3414-500-S02K5_P5) SAGE RTU C3413, C3412 CPU (Obsolete CPUs) with optional ISaGRAF software versions prior to 6.6.10 (All firmware versions) |
SEVD-2022-284-03 PDF | SEVD-2022-284-03 CSAF |
| 2022/10/11 | Apache Log4j Vulnerability (Log4Shell) |
CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 CVE-2021-4104 CVE-2021-44832 |
Notification Updated: A remediation is now available for Netbotz 750/755. | Schneider Electric is aware of the vulnerabilities impacting Apache Log4j, including CVE-2021-44228, also known as Log4Shell. Our cybersecurity team is actively investigating the impact of the vulnerability on Schneider Electric offers and will continuously update this notification as information becomes available. | SESB-2021-347-01 (V14.0) PDF | SESB-2021-214-01 (V2.14) CSAF |
| 2022/09/13 | EcoStruxure Machine SCADA Expert and Pro-face BLUE Open Studio | N/A | Deserialization of Untrusted Data vulnerability exists that can lead to arbitrary code execution, information disclosure, or denial of services when the project file is loaded. |
EcoStruxure Machine SCADA Expert 2020 Service Pack 2 (V20.0.2 or prior) BLUE Open Studio 2020 Service Pack 2 (V20.0.2 or prior) |
SEVD-2022-256-01 PDF | SEVD-2022-256-01 CSAF |
| 2022/09/13 | Wind River VxWorks Vulnerabilities (URGENT/11) |
CVE-2019-12256 CVE-2019-12257 CVE-2019-12255 CVE-2019-12260 CVE-2019-12261 CVE-2019-12263 CVE-2019-12258 CVE-2019-12259 CVE-2019-12262 CVE-2019-12264 CVE-2019-12265 |
Notification Updated: CANopen X80 Communication Module (BMECXM0100) and Profibus Remote Master (TCSEGPA23F14F) added to the list of affected products, along with their final mitigations. | See Security Notification for specific product versions affected. | SESB-2019-214-01 (V2.14) PDF | SESB-2019-214-01 CSAF (V2.14) |
| 2022/09/13 | Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and Associated Communication Modules | CVE-2020-7549 | Notification Updated: A fix is available for Modicon M340 X80 Ethernet Communication Module BMXNOC0401. |
Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Ethernet Communication modules (BMXNOE0100 (H) versions prior to V3.4, BMXNOE0110 (H) versions prior to V6.5, BMXNOC0401 (H) all versions) Modicon Quantum communication modules (140NOE771x1 versions prior to V7.3, 140NOC78x00 all versions, 140NOC77101 all versions) Modicon Quantum processors with integrated Ethernet COPRO (140CPU65xx0 all versions) Modicon Premium communication modules (TSXETY4103 all versions, TSXETY5103 all versions) Modicon Premium processors with integrated Ethernet COPRO (TSXP574634 all versions, TSXP575634 all versions, TSXP576634 all versions) |
SEVD-2020-343-06 (V2.0) PDF | SEVD-2020-343-06 (V2.0) CSAF |
| 2022/09/13 | Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and Associated Communication Modules | CVE-2020-7535 | Notification Updated: A remediation is available for ModiconM340 X80 Ethernet Communication Modules BMXNOC0401. |
Modicon M340 Modicon Premium Modicon Quantum |
SEVD-2020-343-05 (V3.0) PDF | SEVD-2020-343-05 (V3.0) CSAF |
| 2022/09/13 | SNMP Service on Modicon M340 and Associated Communication Modules | CVE-2020-7536 | Notification Updated: A remediation is available for Modicon M340 X80 Ethernet Communication module BMXNOC0401. |
Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOC0401 versions prior to V2.11BMXNOE0100 (H) versions prior to V3.4, BMXNOE0110 (H) versions prior to V6.6, BMXNOR0200H V1.7 IR22) |
SEVD-2020-343-07 (V2.1) PDF | SEVD-2020-343-07 (V2.1) CSAF |
| 2022/08/19 | OPC UA and X80 advanced RTU Modicon Communication Modules |
CVE-2022-34759 CVE-2022-34760 CVE-2022-34761 CVE-2022-34762 CVE-2022-34763 CVE-2022-34764 CVE-2022-34765 |
Notification Updated: There is a remediation for the X80 Advanced RTU Communication Module (BMENOR2200). |
OPC UA Modicon Communication Module (BMENUA0100) V1.10 and prior X80 advanced RTU Communication Module (BMENOR2200H) V1.0 X80 advanced RTU Communication Module (BMENOR2200H) V2.01 and later |
SEVD-2022-193-01 (V3.0) PDF | SEVD-2022-193-01 (V3.0) CSAF |
| 2022/08/09 | Treck TCP/IP Vulnerabilities (Ripple20) |
CVE-2020-11896 CVE-2020-11897 CVE-2020-11898 CVE-2020-11899 CVE-2020-11900 CVE-2020-11901 CVE-2020-11902 CVE-2020-11903 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11908 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914 |
Notification Updated - A remediation is available for the ATV6000 Medium Voltage Altivar Process Drive. | See Security Notification | SEVD-2020-175-01 (V2.18) PDF | SEVD-2020-175-01 (V2.18) CSAF |
| 2022/08/09 | EcoStruxureâ„¢ Control Expert | CVE-2022-37302 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability. | EcoStruxureâ„¢ Control Expert (V15.1 HF001 and prior) | SEVD-2022-221-03 PDF | SEVD-2022-221-03 CSAF |
| 2022/07/12 | SpaceLogic C-Bus Home Controller, formerly known as C-Bus Wiser Home Controller MK2 | CVE-2022-34753 | CWE-78: Improper Neutralizationof Special Elements used in an OS Command ('OS Command Injection') | SpaceLogic C-Bus Home Controller (5200WHC2), formerly known as C-Bus Wiser Homer Controller MK2 V1.31.460 and prior | SEVD-2022-193-02 PDF | SEVD-2022-193-02 CSAF |
| 2022/07/12 | Acti9 PowerTag Link C | CVE-2022-34754 | CWE-269: Improper Privilege Management |
Acti9 PowerTag Link C (A9XELC10-A) V1.7.5 and prior Acti9 PowerTag Link C (A9XELC10-B) V2.12.0 and prior |
SEVD-2022-193-03 PDF | SEVD-2022-193-03 CSAF |
| 2022/07/12 | Easergy P5 |
CVE-2022-34756 CVE-2022-34757 CVE-2022-34758 |
Multiple Vulnerabilities | Easergy P5 Firmware V01.401.102 and prior | SEVD-2022-193-04 PDF | SEVD-2022-193-04 CSAF |
| 2022/07/12 | IGSS (Interactive Graphical SCADA System) |
CVE-2022-24324 CVE-2022-2329 |
Notification Updated: An additional vulnerability, CVE-2022-2329, was remediated with the released patch. | IGSS Data Server (V15.0.0.22073 and prior) | SEVD-2022-102-01 (V2.0) PDF | SEVD-2022-102-01 (V2.0) CSAF |
| 2022/07/12 |
AT&T Labs Compressor (XMill) and Decompressor (XDemill) used by EcoStruxureâ„¢ Control Expert EcoStruxureâ„¢ Process Expert and SCADAPack RemoteConnectâ„¢ for x70 |
CVE-2021-21810 CVE-2021-21811 CVE-2021-21812 CVE-2021-21813 CVE-2021-21814 CVE-2021-21815 CVE-2021-21825 CVE-2021-21826 CVE-2021-21827 CVE-2021-21828 CVE-2021-21829 CVE-2021-21830 CVE-2022-26507 |
Notification Updated: A release is available for SCADAPack RemoteConnectâ„¢ R2.7.3 that addresses workstation vulnerabilities. |
EcoStruxureâ„¢ Control Expert (All versions prior to V15.1 HF001 including former Unity Pro) EcoStruxureâ„¢ Process Expert (All versions prior to V2021 including former HDCS) SCADAPack RemoteConnectâ„¢ for x70 (All versions) |
SEVD-2021-222-02 (V4.0) PDF | SEVD-2021-222-02 (V4.0) CSAF |
| 2022/07/12 |
EcoStruxureâ„¢ Control Expert EcoStruxureâ„¢ Process Expert SCADAPack RemoteConnectâ„¢ for x70 |
CVE-2021-22797 | Notification Updated: A release is available for SCADAPack RemoteConnectâ„¢ R2.7.3 that addresses workstation vulnerabilities. |
EcoStruxureâ„¢ Control Expert (All versions including former Unity Pro) EcoStruxureâ„¢ Process Expert (All versions including former HDCS) SCADAPack RemoteConnectâ„¢ for x70 (All versions) |
SEVD-2021-257-01 (V3.0) PDF | SEVD-2021-257-01 (V3.0) CSAF |
| 2022/06/16 | Data Center Expert |
CVE-2022-32518 CVE-2022-32519 CVE-2022-32520 CVE-2022-32521 |
CWE-257: Storing Passwords in a Recoverable Format CWE 502: Deserialization of Untrusted Data CWE-522: Insufficiently Protected Credentials |
Data Center Expert (V7.9.0 and prior) | SEVD-2022-165-04 (V2.0) PDF | SEVD-2022-165-04 (V2.0) CSAF |
| 2022/06/14 | Conextâ„¢ Combox |
CVE-2022-32515 CVE-2022-32516 CVE-2022-32517 |
Multiple Vulnerabilities | Conextâ„¢ ComBox All Versions | SEVD-2022-165-03 PDF | SEVD-2022-165-03 CSAF |
| 2022/06/14 | Geo SCADA Mobile | CVE-2022-32530 | CWE-668: Exposure of Resource to Wrong Sphere | Geo SCADA Mobile Version Build 222 and prior | SEVD-2022-165-02 PDF | SEVD-2022-165-02 CSAF |
| 2022/06/14 | EcoStruxure Power Commission |
CVE-2022-0223 CVE-2022-22731 CVE-2022-22732 |
Multiple Vulnerabilities | EcoStruxure Power Commission Versions prior to V2.22 | SEVD-2022-165-05 PDF | SEVD-2022-165-05 CSAF |
| 2022/06/14 | Schneider Electric C-Bus Home Automation Products |
CVE-2022-32513 CVE-2022-32514 |
Multiple Vulnerabilities |
Schneider Electric C-Bus Network Automation Controller - LSS5500NAC V1.10.0 and prior Schneider Electric Wiser for C-Bus Automation Controller - LSS5500SHAC V1.10.0 and prior Clipsal C-Bus Network Automation Controller - 5500NAC V1.10.0 and prior Clipsal Wiser for C-Bus Automation Controller - 5500SHAC V1.10.0 and prior SpaceLogic C-Bus Network Automation Controller - 5500NAC2 V1.10.0 and prior SpaceLogic C-Bus Application Controller - 5500AC2 V1.10.0 and prior |
SEVD-2022-165-06 PDF | SEVD-2022-165-06 CSAF |
| 2022/06/14 | CanBRASS | CVE-2022-32512 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer | CanBRASS Versions prior to V7.5.1 | SEVD-2022-165-07 PDF | SEVD-2022-165-07 CSAF |
| 2022/06/14 | EcoStruxureâ„¢ Cybersecurity Admin Expert |
CVE-2022-32747 CVE-2022-32748 |
Multiple Vulnerabilities | EcoStruxureâ„¢ Cybersecurity Admin Expert(CAE) Versions 2.2 and prior | SEVD-2022-165-08 PDF | SEVD-2022-165-08 CSAF |
| 2022/06/14 | EcoStruxure Power Build - Rapsody |
CVE-2021-22697 CVE-2021-22698 |
Notification Update: These vulnerabilities have been fixed in V2.1.3. | EcoStruxure Power Build - Rapsody software V2.1.13 and prior | SEVD-2021-012-02 (V2.0) PDF | SEVD-2021-012-02 (V2.0) CSAF |
| 2022/06/14 |
EcoStruxureâ„¢ Control Expert EcoStruxureâ„¢ Process Expert SCADAPack RemoteConnectâ„¢ for x70 |
CVE-2022-24322 CVE-2022-24323 |
Notification Updated: Added SCADAPack RemoteConnectâ„¢ to the list of affected products, which is impacted on versions prior to R2.7.3 through the integration of EcoStruxureâ„¢ Control Expert. |
EcoStruxureâ„¢ Control Expert Version 15.0 SP1 and prior EcoStruxureâ„¢ Process Expert Version 2021 and prior SCADAPack RemoteConnectâ„¢ for x70 All Versions prior to R2.7.3 |
SEVD-2022-067-01 (V2.0) PDF | SEVD-2022-067-01 (V2.0) CSAF |
| 2022/05/10 | PowerLogic ION Setup | CVE-2022-30232 | CWE-20: Improper Input Validation | PowerLogic ION Setup Versions prior to 3.2.22096.01 | SEVD-2022-130-01 PDF | SEVD-2022-130-01 CSAF |
| 2022/05/10 | Saitel DP RTU | CVE-2020-6996 | CWE-787: Out-of-bounds Write | Saitel DP RTU Firmware Version Baseline_09.00.00 to Baseline_11.06.23 | SEVD-2022-130-02 PDF | SEVD-2022-130-02 CSAF |
| 2022/05/10 | Wiser Smart |
CVE-2022-30234 CVE-2022-30235 CVE-2022-30238 CVE-2022-30236 CVE-2022-30237 CVE-2022-30233 |
Multiple Vulnerabilities | Wiser Smart EER21000 V4.5 and prior and Wiser Smart EER21001 V4.5 and prior | SEVD-2022-130-03 PDF | SEVD-2022-130-03 CSAF |
| 2022/05/10 | APC by Schneider Electric Network Management Cards (NMC) and NMC Embedded Devices |
CVE-2021-22810 CVE-2021-22811 CVE-2021-22812 CVE-2021-22813 CVE-2021-22814 CVE-2021-22815 |
Notification Updated: Remediations added for remaining affected products: APC Power Distribution products, Cooling products, Environmental Monitoring products, and Battery Management products. |
Network Management Card 2 (NMC2), Network Management Card 3 (NMC3), and the NMC embedded devices including: Uninterruptible Power Supply (UPS) products APC Power Distribution products Cooling products Environmental Monitoring Battery Management products. See notification for specific affected product and version details. |
SEVD-2021-313-03 (V2.0) PDF | SEVD-2021-313-03 (V2.0) CSAF |
| 2022/04/13 | APT Cyber Tools Targeting ICS/SCADA Devices Security Bulletin | Schneider Electric, working in close collaboration with the United States Department of Energy, Homeland Security, and cybersecurity defense partner, Mandiant, identified and developed protective measures to defend against APT (Advanced Persistent Threat) Cyberattack Tools/Framework still in development that would target a set of our Programmable Logic Controllers (PLCs) products. | SESB-2022-01 | |||
| 2022/03/08 | Ritto Wiserâ„¢ Door | CVE-2021-22783 | CWE-200: Information Exposure | Ritto Wiserâ„¢ Door (All versions) | SEVD-2022-067-03 PDF | SEVD-2022-067-03 CSAF |
| 2022/03/08 | Windows Print Spooler Embedded in EcoStruxureâ„¢ Process Expert |
CVE-2021-34527 CVE-2021-1675 |
Notification Updated - EcoStruxureâ„¢ Process Expert 2021 includes a fix for these vulnerabilities | EcoStruxureâ„¢ Process Expert (All versions prior to V2021) | SEVD-2021-313-04 (V2.0) PDF | SEVD-2021-313-04 (V2.0) CSAF |
| 2022/02/08 | IGSS (Interactive Graphical SCADA System) |
CVE-2022-24310 CVE-2022-24311 CVE-2022-24312 CVE-2022-24313 CVE-2022-24314 CVE-2022-24315 CVE-2022-24316 CVE-2022-24317 |
Multiple Vulnerabilities | IGSS Data Server: IGSSdataServer.exe (V15.0.0.22020 and prior) | SEVD-2022-039-01 PDF | SEVD-2022-039-01 CSAF |
| 2022/02/08 | Easergy P40 | CVE-2022-22813 | CWE-798: Use of Hard-coded Credentials | Easergy P40 Series model numbers with Ethernet option bit as Q, R, S (All PX4X firmware versions) | SEVD-2022-039-03 PDF | SEVD-2022-039-03 CSAF |
| 2022/02/08 | spaceLYnk, Wiser For KNX, fellerLYnk |
CVE-2022-22809 CVE-2022-22810 CVE-2022-22811 CVE-2022-22812 |
Multiple Vulnerabilities |
spaceLYnk (V2.6.2 and prior) Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior) fellerLYnk (V2.6.2 and prior) |
SEVD-2022-039-04 PDF | SEVD-2022-039-04 CSAF |
| 2022/02/08 | EcoStruxure Geo SCADA Expert |
CVE-2022-24318 CVE-2022-24319 CVE-2022-24320 CVE-2022-24321 |
Multiple Vulnerabilities |
ClearSCADA (All Versions) EcoStruxure GeoSCADA Expert 2019 (All Versions) EcoStruxure Geo SCADA Expert 2020 (All Versions) |
SEVD-2022-039-05 PDF | SEVD-2022-039-05 CSAF |
| 2022/02/08 |
Harmony/Magelis iPC SeriesHMI Vijeo Designerand Vijeo Designer Basic |
CVE-2021-22817 | CWE-276: Incorrect Default Permissions |
Harmony/Magelis iPC Series (All Versions) Vijeo Designer (All Versions prior to V6.2 SP11 Multiple HotFix 4) Vijeo Designer Basic (All Versions prior to V1.2.1) |
SEVD-2022-039-06 PDF | SEVD-2022-039-06 CSAF |
| 2022/01/11 | Ethernet and Web server on Modicon M340 controller and Communication Modules |
CVE-2022-22724 CVE-2020-7534 |
CWE-352: Cross-Site Request Forgery (CSRF) & CWE-400: Uncontrolled Resource Consumption |
Modicon M340 CPUs (BMXP34 - All Versions) Modicon Quantum CPUs with integrated Ethernet (Copro) (140CPU65 - All Versions) Modicon Premium CPUs with integrated Ethernet (Copro) (TSXP57 - All Versions) Modicon M340 ethernet modules (BMXNOC040, BMXNOE01, BMXNOR0200H - All Versions) Modicon Quantum and Premiumfactory cast communication modules (140NOE77111, 140NOC78*00, TSXETY5103, TSXETY4103 - All Versions) |
SEVD-2022-011-01 PDF | SEVD-2022-011-01 CSAF |
| 2022/01/11 | Easergy T300 | CVE-2020-8597 | CWE-120: Buffer Copy without Checking Size of Input |
Easergy T300 (Only products connected to a 3G/4G network using the following T300 modems are vulnerable: Easergy HU250 3G modem box - Five Bands UMTS/HSPA+ Easergy HU250 4G modem box with GPS clock synchronization Firmware V2.7.1 and prior) |
SEVD-2022-011-02 PDF | SEVD-2022-011-02 CSAF |
| 2022/01/11 | Easergy P5 |
CVE-2022-22722 CVE-2022-22723 |
CWE-798: Use of Hard-coded Credentials & CWE-120: Buffer Copy without Checking Size of Input | Easergy P5 (All firmware versions prior to V01.401.101) | SEVD-2022-011-03 PDF | SEVD-2022-011-03 CSAF |
| 2022/01/11 | Easergy P3 | CVE-2022-22725 | CWE-120: Buffer Copy without Checking Size of Input | Easergy P3 (All versions prior to V30.205) | SEVD-2022-011-04 PDF | SEVD-2022-011-04 CSAF |
| 2022/01/11 | ConneXium Tofino Firewall and Loadable Security Modules |
CVE-2021-30061 CVE-2021-30064 CVE-2021-30065 CVE-2021-30066 CVE-2021-30062 CVE-2021-30063 |
Multiple Vulnerabilities |
ConneXium Tofino Firewall – part number TCSEFEA23F3F22 - Version prior to v03.23 ConneXium Tofino OPC-LSM – part number TCSEFM0000 - Version prior to Firewall host version v03.23 ConneXium Tofino Firewall – part number TCSEFEA23F3F20/21 - All Versions |
SEVD-2022-011-05 PDF | SEVD-2022-011-05 CSAF |
| 2022/01/11 | EcoStruxureâ„¢ Power Monitoring Expert |
CVE-2022-22726 CVE-2022-22727 CVE-2019-8963 CVE-2022-22804 |
Multiple Vulnerabilities | EcoStruxure Power Monitoring Expert (All Versions 2020 and prior) | SEVD-2022-011-07 PDF | SEVD-2022-011-07 CSAF |
| 2021/12/14 | EVlink City / Parking / Smart Wallbox Charging Stations |
CVE-2021-22724 CVE-2021-22725 CVE-2021-22818 CVE-2021-22819 CVE-2021-22820 CVE-2021-22821 CVE-2021-22822 |
Multiple Vulnerabilties |
EVlink City (EVC1S22P4 / EVC1S7P4) EVlink Parking (EVW2 / EVF2 / EVP2PE) EVlink Smart Wallbox EVB1A - All versions prior to R8 V3.4.0.2 |
SEVD-2021-348-02 PDF | SEVD-2021-348-02 CSAF |
| 2021/12/14 | IGSS (Interactive Graphical SCADA System) |
CVE-2021-22823 CVE-2021-22824 |
CWE-306: Missing Authentication for Critical Function CWE-120: Buffer Copy without Checking Size of Input |
IGSS Data Collector (dc.exe) (V15.0.0.21320 and prior) | SEVD-2021-348-01 PDF | SEVD-2021-348-01 CSAF |
| 2021/12/14 | EcoStruxureâ„¢ Power Monitoring Expert |
CVE-2021-22826 CVE-2021-22827 |
Multiple Vulnerabilties | EcoStruxureâ„¢ Power Monitoring Expert V9.0 and prior | SEVD-2021-348-03 | |
| 2021/12/14 | APC by Schneider Electric Rack PDU | CVE-2021-22825 | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
AP7xxxx and AP8xxx with NMC2. (V6.9.6 and prior) AP7xxx and AP8xxx with NMC3 (V1.1.0.3 and prior) APDU9xxx with NMC3 (V1.0.0.28 and prior) |
SEVD-2021-348-04 PDF | SEVD-2021-348-04 CSAF |
| 2021/12/14 | Web Server on Modicon M580 Controllers and Communication Modules (V4.0) |
CVE-2019-6848 CVE-2019-6849 CVE-2019-6850 |
Multiple Vulnerabilities (December 2021 Update: A fix is now available for CVE-2019-6849 on the BMENOC0321) |
Modicon M580 Modicon BMENOC 0311 Modicon BMENOC 0321 |
SEVD-2019-281-04 (V4.0) | |
| 2021/11/09 | Cyber Attacks against KNX Systems Improperly Exposed to the Internet |
Schneider Electric is aware of confirmed reports of cyber-attacks targeting KNX home and building automation systems utilizing a KNXnet/IP Ethernet to KNX gateway or router that has been improperly exposed to the Internet. See security bulletin for recommended mitigations. |
SESB-2021-313-01 | |||
| 2021/11/09 | SCADAPack 300E Series RTU | CVE-2021-22816 | CWE-754: Improper Check for Unusual or Exceptional Conditions | SCADAPack 312E, 313E, 314E, 330E, 333E, 334E, 337E, 350E and 357E RTUs with firmware V8.18.1 and prior | SEVD-2021-313-01 PDF | SEVD-2021-313-01 CSAF |
| 2021/11/09 | Schneider Electric Software Update (SESU) | CVE-2021-22799 | CWE-331: Insufficient Entropy | Schneider Electric Software Update, V2.3.0 through V2.5.1 | SEVD-2021-313-02 PDF | SEVD-2021-313-02 CSAF |
| 2021/11/09 | TelevisAir Dongle BTLE | - | - | TelevisAir V3.0 Dongle BTLE (part number ADBT42* and prior) | SEVD-2021-313-06 | |
| 2021/11/09 | Eurotherm GUIcon |
CVE-2021-22807 CVE-2021-22808 CVE-2021-22809 |
Multiple Vulnerabilities | Eurotherm by Schneider Electric GUIcon Version 2.0 (Build 683.003) and prior | SEVD-2021-313-07 PDF | SEVD-2021-313-07 CSAF |
| 2021/10/12 |
spaceLYnk Wiser For KNX fellerLYnk |
CVE-2021-22806 | CWE-669: Incorrect Resource Transfer Between Spheres |
spaceLYnk V2.6.1 and prior Wiser for KNX V2.6.1 and prior fellerLYnk V2.6.1 and prior |
SEVD-2021-285-01 PDF | SEVD-2021-285-01 CSAF |
| 2021/10/12 | ConneXium Network Manager (CNM) Software | CVE-2021-22801 | CWE-269: Improper Privilege Management | ConneXium Network Manager (Ethernet network management software) – all versions | SEVD-2021-285-02 PDF | SEVD-2021-285-02 CSAF |
| 2021/10/12 | IGSS (Interactive Graphical SCADA System) |
CVE-2021-22802 CVE-2021-22803 CVE-2021-22804 CVE-2021-22805 |
Multiple Vulnerabilties | IGSS Data Collector (dc.exe) V15.0.0.21243 and prior | SEVD-2021-285-03 PDF | SEVD-2021-285-03 CSAF |
| 2021/10/12 | Modicon M218 Logic Controller | CVE-2021-22800 | CWE-20: Improper Input Validation | Modicon M218 logic controller firmware version v5.1.0.6 and prior. | SEVD-2021-285-04 PDF | SEVD-2021-285-04 CSAF |
| 2021/10/12 | Conextâ„¢ Advisor & Conextâ„¢ Control V2 |
CVE-2019-11135 CVE-2020-0601 CVE-2020-0609 CVE-2020-0610 CVE-2020-0796 CVE-2020-0938 CVE-2020-1020 CVE-2020-1350 CVE-2020-1472 CVE-2019-0803 CVE-2019-1040 |
Multiple Vulnerabilities |
Conextâ„¢ Advisor 2 Cloud 2.02 and below Conextâ„¢ Advisor 2 Gateway 1.28.45 and below Conextâ„¢ Control V2 Gateway 2.6 and below |
SEVD-2021-285-05 PDF | SEVD-2021-285-05 CSAF |
| 2021/10/12 | Embedded TCP/IP Stacks Vulnerabilities (AMNESIA:33) in Modicon TM5 modules |
CVE-2020-13987 CVE-2020-17438 |
Multiple Vulnerabilities |
TM5CSLC100FS: safety logic controller Firmware V2.56 and prior TM5CSLC200FS: safety logic controller Firmware V2.56 and prior TM5NS31: sercos III communication module Firmware V2.78 and prior TM5NEIP1: EtherNet/IP module Firmware V3.10 and prior TM5NEIP1K: EtherNet/IP FieldBus KIT Firmware V3.10 and prior |
SEVD-2021-285-06 | |
| 2021/10/12 | Microsoft Remote Desktop Services (DejaBlue) (V5.0) |
CVE-2019-1181 CVE-2019-1182 CVE-2019-1222 CVE-2019-1223 CVE-2019-1224 CVE-2019-1225 CVE-2019-1226 |
Multiple Vulnerabilities (Notification Updated) | Multiple Products | SEVD-2019-267-01 (V5.0) | |
| 2021/10/12 | Intel Microarchitectural Data Sampling (ZombieLoad) (V6.0) |
CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091 |
Multiple Vulnerabilities (Notification Updated) | Multiple Products | SEVD-2019-193-01 (V6.0) | |
| 2021/10/12 | Microsoft Remote Desktop Services (BlueKeep) (V7.0) | CVE-2019-0708 | Remote Code Execution (Notification Updated) | Multiple Products | SEVD-2019-193-02 (V7.0) | |
| 2021/09/14 | StruxureWare Data Center Expert |
CVE-2021-22794 CVE-2021-22795 |
Multiple Vulnerabilities | StruxureWare Data Center Expert versions 7.8.1 and prior. | SEVD-2021-257-03 PDF | SEVD-2021-257-03 CSAF |
| 2021/09/14 | Conextâ„¢ ComBox | CVE-2021-22798 | CWE-522: Insufficiently Protected Credentials | Conextâ„¢ ComBox, all versions | SEVD-2021-257-04 | |
| 2021/09/14 | Treck TCP/IPv6 Vulnerabilities (V4.0) |
CVE-2020-27336 CVE-2020-27337 CVE-2020-27338 |
Multiple Vulnerabilities (Notification Updated) |
ATV340E Altivar Machine Drives ATV630/650/660/680/6A0/6B0 Altivar Process Drives ATV930/950/960/980/9A0/9B0 Altivar Process Drives VW3A3720, VW3A3721 Altivar Process Communication Modules APC Network Management Card 2 (NMC2) APC Network Management Card 3 (NMC3) IFE Gateway Acti9 Smartlink IP* Acti9 PowerTag Link / HD* Acti9 Smartlink SI D* Acti9 Smartlink SI B* EGX150/Link150 Ethernet Gateway** eIFE Ethernet Interface for MasterPact MTZ drawout circuit breakers IFE Ethernet Interface for ComPact, PowerPact, and MasterPact circuit breakers TM3 Bus Coupler EIP ATV6000 Medium Voltage Altivar Process Drives |
SEVD-2020-353-01 (V4.0) | |
| 2021/08/10 | Harmony/Magelis HMI Products configured by Vijeo Designer, Vijeo Designer Basic and EcoStruxure Machine Expert | CVE-2021-22704 | CWE-22: Improper Limitation of a Pathname to a Restricted Directory |
Harmony/HMI Products Configured by Vijeo Designer (all versions prior to V6.2 SP11 ) Vijeo Designer Basic (all versions prior to V1.2), or EcoStruxure Machine Expert (all versions prior to V2.0) |
SEVD-2021-222-01 | |
| 2021/08/10 | Pro-face GP-Pro EX | CVE-2021-22775 | CWE-427: Uncontrolled Search Path Element | GP-Pro EX V4.09.250 and prior | SEVD-2021-222-03 PDF | SEVD-2021-222-03 CSAF |
| 2021/08/10 | AccuSine PCSn/PCS+/PFV+ | CVE-2021-22793 | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | AccuSine PCS+ / PFV+ (Versions prior to V1.6.7) and AccuSine PCSn (Versions prior to V2.2.4) | SEVD-2021-222-05 PDF | SEVD-2021-222-05 CSAF |
| 2021/08/10 | CODESYS V2 Vulnerabilities in Programmable Automation Controller (PacDrive) M |
CVE-2021-30186 CVE-2021-30188 CVE-2021-30195 |
Multiple Vulnerabilities | Programmable Automation Controller (PacDrive) M, all versions | SEVD-2021-222-06 PDF | SEVD-2021-222-06 CSAF |
| 2021/08/10 | NTZ Mekhanotronika Rus. LLC SHAIIS-MT-111, SHASU-MT-107 and SHFK-MT, and SHFK-MT-104 Control Panels |
CVE-2021-34527 CVE-2021-1675 |
Multiple Vulnerabilities |
SHAIIS-MT-111 SHASU-MT-107 and SHFK-MT and SHFK-MT-104 Control Panels (see security notification for more details) |
SEVD-2021-222-07 | |
| 2021/08/10 | NTZ Mekhanotronika Rus. LLC SHFK-MT-104 Control Panels | CVE-2021-31166 | HTTP Protocol Stack Remote Code Execution |
SHFK-MT-104 Control Panels (see security notification for more details) |
SEVD-2021-222-08 | |
| 2021/08/10 | Embedded Web Server for Modicon X80 BMXNOR0200H RTU Module (V2.0) | CVE-2021-22749 | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | Modicon X80 BMXNOR0200H RTU SV1.70 IR22 and prior | SEVD-2021-159-05 (V2.0) | |
| 2021/08/10 | Treck HTTP Server Vulnerability on TM3 Bus Coupler Modules (V2.0) | CVE-2020-25066 | Heap-Based Overflow |
TM3 Bus Coupler (EIP firmware version 2.1.50.2 and prior) TM3 Bus Coupler (SL firmware version 2.0.50.2 and prior) TM3 Bus Coupler (CANOpen firmware version 2.0.50.2 and prior) |
SEVD-2020-353-02 (V2.0) PDF | SEVD-2020-353-02 (V2.0) CSAF |
| 2021/08/10 |
Web Server on Modicon M340 Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (V2.0) |
CVE-2020-7540 | CWE-306: Missing Authentication for Critical Function |
Modicon M340 CPUs (BMXP34* all versions prior to V3.30) Modicon M340 Ethernet Communication modules(BMXNOE0100 (H) all versions prior to V3.3, BMXNOE0110 (H) all versions prior to V6.5, BMXNOC0401 (H) all versions prior to V2.10) Modicon Premium communication modules (TSXETY4103 prior to V6.2, TSXETY5103 prior to V6.4) Modicon Premium processors with integrated Ethernet COPRO (TSXP574634 versions prior to V6.1, TSXP575634 versions prior to V6.1, TSXP576634 versions prior to V6.1) Modicon Quantum processors with integrated Ethernet COPRO (140CPU65xx0 prior to V6.1) Modicon Quantum communication modules (140NOE771x1, prior to V7.1, 140NOC78x00, prior to V1.74, 140NOC77101, prior to V1.08) BMXNOR200H (all versions) |
SEVD-2020-343-04 (V2.0) PDF | SEVD-2020-343-04 (V2.0) CSAF |
| 2021/08/10 | Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (V2.0) |
CVE-2020-7539 CVE-2020-7541 |
Multiple Vulnerabilities |
Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Ethernet Communication modules (BMXNOE0100 (H) versions prior to V3.3, BMXNOE0110 (H) versions prior to V6.5, BMXNOC0401 (H) versions prior to V2.10) Modicon Premium communication modules (TSXETY4103 versions prior to V6.2, TSXETY5103 versions prior to V6.4) Modicon Premium processors with integrated Ethernet COPRO (TSXP574634 versions prior to V6.1, TSXP575634 versions prior to V6.1, TSXP576634 versions prior to V6.1) Modicon Quantum processors with integrated Ethernet COPRO (140CPU65xx0 versions prior to V6.1) Modicon Quantum communication modules (140NOE771x1 versions prior to V7.1, 140NOC78x00 versions prior to V1.74, 140NOC77101 versions prior to V1.08) |
SEVD-2020-343-03 (V2.0) PDF | SEVD-2020-343-03 (V2.0) CSAF |
| 2021/07/13 | Easergy T300 |
CVE-2021-22769 CVE-2021-22770 CVE-2021-22771 |
Multiple Vulnerabilities | Easergy T300 with firmware V2.7.1 and prior | SEVD-2021-194-02 | |
| 2021/07/13 | SoSafe Configurable | CVE-2021-22777 | CWE-502: Deserialization of Untrusted Data | SoSafe Configurable prior to V1.8.1 | SEVD-2021-194-03 PDF | SEVD-2021-194-03 CSAF |
| 2021/07/13 | C-Bus Toolkit | CVE-2021-22784 | CWE-287: Improper Authentication | C-Bus Toolkit V1.15.8 and prior | SEVD-2021-194-04 PDF | SEVD-2021-194-04 CSAF |
| 2021/07/13 | Easergy T200 | CVE-2021-22772 | CWE-306: Missing Authentication for Critical Function |
Easergy T200 (Modbus) SC2-04MOD-07000100 and earlier Easergy T200 (IEC104) SC2-04IEC-07000100 and earlier Easergy T200 (DNP3) SC2-04DNP-07000102 and earlier |
SEVD-2021-194-05 PDF | SEVD-2021-194-05 CSAF |
| 2021/07/13 | EVlink City / Parking / Smart Wallbox Charging Stations |
CVE-2021-22706 CVE-2021-22707 CVE-2021-22708 CVE-2021-22721 CVE-2021-22722 CVE-2021-22723 CVE-2021-22726 CVE-2021-22727 CVE-2021-22728 CVE-2021-22729 CVE-2021-22730 CVE-2021-22773 CVE-2021-22774 |
Multiple Vulnerabilities | All versions prior to R8 V3.4.0.1 of EVlink City (EVC1S22P4 / EVC1S7P4), EVlink Parking (EVW2 / EVF2 / EV.2), and EVlink Smart Wallbox (EVB1A) | SEVD-2021-194-06 | |
| 2021/07/13 | APC by Schneider Electric Network Management Cards (Ripple20) (V2.3) |
CVE-2020-11896 CVE-2020-11897 CVE-2020-11898 CVE-2020-11899 CVE-2020-11900 CVE-2020-11901 CVE-2020-11902 CVE-2020-11903 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11908 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914 |
Multiple Vulnerabilities (Notification Updated) |
APC Network Management Card 1 (NMC1) APC Network Management Card 2 (NMC2) APC Network Management Card 3 (NMC3) |
SEVD-2020-174-01 (V2.3) PDF | SEVD-2020-174-01 (V2.3) CSAF |
| 2021/07/13 | EcoStruxureâ„¢ Control Expert, EcoStruxureâ„¢ Process Expert and RemoteConnectâ„¢ (V2.0) | CVE-2020-7560 | CWE-123 - Write-what-where Condition |
EcoStruxure Control Expert (versions prior to v15.0 SP1) Unity Pro (all versions) EcoStruxure Process Expert (all versions) RemoteConnect (all versions) |
SEVD-2020-343-01 (V2.0) PDF | SEVD-2020-343-01 (V2.0) CSAF |
| 2021/07/13 | Triconex Models 3009 MP and TCM 4351B (V1.1) |
CVE-2021-22742 CVE-2021-22743 CVE-2021-22744 CVE-2021-22745 CVE-2021-22746 CVE-2021-22747 |
Multiple Vulnerabilities | Triconex Model 3009 MP and TCM 4351B installed on Tricon v11.3.x systems. | SEVD-2021-130-03 (V1.1) | |
| 2021/06/08 | IGSS (Interactive Graphical SCADA System) |
CVE-2021-22750 CVE-2021-22751 CVE-2021-22752 CVE-2021-22753 CVE-2021-22754 CVE-2021-22755 CVE-2021-22756 CVE-2021-22757 CVE-2021-22758 CVE-2021-22759 CVE-2021-22760 CVE-2021-22761 CVE-2021-22762 |
Multiple Vulnerabilities | IGSS Definition (Def.exe) V15.0.0.21140 and prior | SEVD-2021-159-01 PDF | SEVD-2021-159-01 CSAF |
| 2021/06/08 | PowerLogic EGX100 and PowerLogicEGX300 |
CVE-2021-22763 CVE-2021-22764 CVE-2021-22765 CVE-2021-22766 CVE-2021-22767 CVE-2021-22768 |
Multiple Vulnerabilities |
EGX100 (All Versions) EGX100 (Versions 3.0.0 and newer) EGX300 (All Versions) |
SEVD-2021-159-03 PDF | SEVD-2021-159-03 CSAF |
| 2021/06/08 | Enerlin'X Com’X 510 | CVE-2021-22769 | CWE-269: Improper Privilege Management | Enerlin’X Com’X versions prior to V6.8.4 | SEVD-2021-159-06 | |
| 2021/06/08 |
EcoStruxureâ„¢ Machine Expert and Modicon M218/M241/M251/M262 LMC PacDrive Eco/Pro/Pro2 HMISCU ATV IMC Logic Controllers SoMachine/SoMachine Motion |
CVE-2020-10245 CVE-2019-13538 CVE-2019-9008 CVE-2019-9009 CVE-2020-7052 |
Multiple Vulnerabilities (Notification Updated) |
EcoStruxureâ„¢ Machine Expert and Modicon M218/M241/M251/M262 LMC PacDrive Eco/Pro/Pro2 HMISCU ATV IMC Logic Controllers SoMachine/SoMachine Motion (See Security Notification for full version information) |
SEVD-2021-130-06 (V2.0) | |
| 2021/05/11 | Modicon Managed Switch | CVE-2021-22731 | CWE-640: Weak Password Recovery Mechanism for Forgotten Password | Modicon Managed Switch MCSESM* and MCSESP* V8.21 and prior | SEVD-2021-130-01 PDF | SEVD-2021-130-01 CSAF |
| 2021/05/11 | Harmony HMI Products Configured by Vijeo Designer or EcoStruxure Machine Expert | CVE-2021-22705 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer | Harmony HMI Products Configured by Vijeo Designer (all versions prior to V6.2 SP11 ) or EcoStruxur Machine Expert (all versions prior to V2.0) | SEVD-2021-130-02 | |
| 2021/05/11 | Modicon M241 and M251 Logic Controllers | CVE-2021-22699 | CWE-20: Improper Input Validation | Modicon M241/M251 logic controllers firmware prior to V5.1.9.1 | SEVD-2021-130-05 PDF | SEVD-2021-130-05 CSAF |
| 2021/05/11 | EcoStruxureâ„¢ Geo SCADA Expert | CVE-2021-22741 | CWE-916: Use of Password Hash with Insufficient Computational Effort |
ClearSCADA (all versions) EcoStruxure Geo SCADA Expert 2019 (all versions) EcoStruxure Geo SCADA Expert 2020 (V83.7742.1 and prior) |
SEVD-2021-130-07 PDF | SEVD-2021-130-07 CSAF |
| 2021/05/11 | Modicon Controllers, EcoStruxureâ„¢ Control Expert and Unity Pro Programming Software (V3.0) | CVE-2020-7475 | CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (Notification Updated) |
EcoStruxureâ„¢ Control Expert: all versions prior to V15.0 Unity Pro: all versions Modicon M340: all versions prior to V3.20 Modicon M580: all versions prior to V3.10 |
SEVD-2020-080-01 (V3.0) PDF | SEVD-2020-080-01 (V3.0) CSAF |
| 2021/04/15 | PowerLogic ION8650 / ION8800 / ION7x50 / ION7700/73xx / ION83xx/84xx/85xx/8600 Power Meters | CVE-2021-22713 | CWE-119: Improper restriction of operations within the bounds of a memory buffer | ION8650 / ION8800 / ION7x50 / ION7700/73xx / ION83xx/84xx/85xx/8600 (See notification for affected versions) | SEVD-2021-068-03 (V2.0) PDF | |
| 2021/04/13 | NTZ Mekhanotronika Rus. LLC SHFK-MT-104, SHASU-MT-107 and SHAIIS-MT-111 Control Panels |
CVE-2019-1040 CVE-2019-0803 |
Multiple Vulnerabilities |
SHFK-MT-104 SHASU-MT-107 SHAIIS-MT-111 (See Security Notification for details) |
SEVD-2021-103-02 | |
| 2021/04/13 | Schneider Electric Floating License Manager |
CVE-2019-8960 CVE-2019-8961 |
Multiple Vulnerabilities (Notification Updated) | Schneider Electric Floating License Manager V2.4.0.0 and earlier | SEVD-2020-196-02 (V1.3) | |
| 2021/03/09 | IGSS (Interactive Graphical SCADA System) |
CVE-2021-22709 CVE-2021-22710 CVE-2021-22711 CVE-2021-22712 |
Multiple Vulnerabilities | IGSS Definition (Def.exe) version 15.0.0.21041 and prior | SEVD-2021-068-01 PDF | SEVD-2021-068-01 CSAF |
| 2021/03/09 | PowerLogic ION7400 / PM8000 / ION9000 Power Meters | CVE-2021-22714 | CWE-119: Improper restriction of operations within the bounds of a memory buffer | All versions prior to V3.0.0 of ION7400, ION9000, and ION8000 | SEVD-2021-068-02 PDF | SEVD-2021-068-02 CSAF |
| 2021/02/09 | PowerLogic Power Metering Products |
CVE-2021-22701 CVE-2021-22702 CVE-2021-22703 |
Multiple Vulnerabilities |
ION7400 ION7x50 ION7700/73xx ION83xx/84xx/85xx/8600 ION8650 ION8800 ION9000 and PM8000 (see notification for affected versions) |
SEVD-2021-040-01 PDF | SEVD-2021-040-01 CSAF |
| 2021/01/12 | EcoStruxureâ„¢ Operator Terminal Expert (Vijeo XD), Pro-face BLUE and WinGP runtime | CVE-2020-7544 | CWE-269 Improper Privilege Management (Notification Updated) |
EcoStruxureâ„¢ Operator Terminal Expert Runtime 3.1 Service Pack 1A and prior Pro-face BLUE Runtime 3.1 Service Pack 1A and prior WinGP V4.09.120 (See security notification for more details) |
SEVD-2020-315-02 (V2.0) PDF | SEVD-2020-315-02 (V2.0) CSAF |
| 2021/01/12 | Modicon M100/M200/M221 Programmable Logic Controllers (V3.0) |
CVE-2020-7565 CVE-2020-7566 CVE-2020-7567 CVE-2020-7568 CVE-2020-28214 |
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-311: Missing Encryption of Sensitive Data CWE-326: Inadequate Encryption Strength CWE-334: Small Space of Random Values CWE-760: Use of a One-Way Hash with a Predictable Salt |
Modicon M100/M200/M221 (all references) (all versions) | SEVD-2020-315-05 (V3.0) PDF | SEVD-2020-315-05 (V3.0) CSAF |
| 2020/12/08 | EcoStruxureâ„¢ Geo SCADA Expert | CVE-2020-28219 | CWE-522: Insufficiently Protected Credentials |
EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1) |
SEVD-2020-343-02 PDF | SEVD-2020-343-02 CSAF |
| 2020/12/08 |
Modicon M580 Modicon M340 Legacy Controllers Modicon Quantum & Modicon Premium |
CVE-2020-7537 CVE-2020-7542 CVE-2020-7543 |
Multiple Vulnerabilities |
Modicon M580 CPUs (BMEx58xxxxx prior to version 3.20) Modicon M340 CPUs (BMX P34x prior to version 3.30) Modicon Premium CPUs all versions –(SXP574634, TSXP575634, TSXP576634) Modicon Quantum CPUs all versions (40CPU65xxxxx) |
SEVD-2020-343-08 PDF | SEVD-2020-343-08 CSAF |
| 2020/12/08 | Modicon M258 Logic Controllers and SoMachine/ SoMachine Motion Software | CVE-2020-28220 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer |
Modicon M258 Firmware (All versions prior to V5.0.4.11) SoMachine/SoMachine Motion software (All versions) |
SEVD-2020-343-09 PDF | SEVD-2020-343-09 CSAF |
| 2020/12/08 | Easergy T300 |
CVE-2020-7561 CVE-2020-28215 CVE-2020-28216 CVE-2020-28217 CVE-2020-28218 |
Multiple Vulnerabilities (Notification Updated) | Easergy T300 with firmware 2.7 and older | SEVD-2020-315-06 (V2.0) PDF | SEVD-2020-315-06 (V2.0) CSAF |
| 2020/12/08 | Wibu-Systems CodeMeter Vulnerabilities |
CVE-2020-14509 CVE-2020-14513 CVE-2020-14515 CVE-2020-14517 CVE-2020-14519 CVE-2020-16233 |
Multiple Vulnerabilities |
EcoStruxure Machine Expert (formerly known as SoMachine and SoMachine Motion) E+PLC400 - E+PLC100 E+PLC_Setup - EcoStruxure Machine SCADA Expert |
SEVD-2020-287-02 (V1.1) PDF | SEVD-2020-287-02 (V1.1) CSAF |
| 2020/11/10 | Interactive Graphical SCADA System (IGSS) |
CVE-2020-7550 CVE-2020-7551 CVE-2020-7552 CVE-2020-7553 CVE-2020-7554 CVE-2020-7555 CVE-2020-7556 CVE-2020-7557 CVE-2020-7558 |
Multiple Vulnerabilities | IGSS Definition (Def.exe) version 14.0.0.20247 and prior | SEVD-2020-315-03 PDF | SEVD-2020-315-03 CSAF |
| 2020/11/10 | EcoStruxure Building Operation (EBO) |
CVE-2020-7569 CVE-2020-7570 CVE-2020-7571 CVE-2020-7572 CVE-2020-7573 CVE-2020-28209 CVE-2020-28210 |
Multiple Vulnerabilities |
WebReports V1.9 - V3.1 WebStation (V2.0 - V3.1) Enterprise Server installer (V1.9 - V3.1) Enterprise Central installer (V2.0 - V3.1) |
SEVD-2020-315-04 PDF | SEVD-2020-315-04 CSAF |
| 2020/11/10 | Trio Q and J Data Radios | - | Drovorub malware | Trio Q and J Data Radios | SESB-2020-315-01 | |
| 2020/11/10 | EcoStruxureâ„¢ Operator Terminal Expert (Vijeo XD) |
CVE-2020-7493 CVE-2020-7494 CVE-2020-7495 CVE-2020-7496 CVE-2020-7497 |
Multiple Vulnerabilities | EcoStruxureâ„¢ Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) | SEVD-2020-133-04 (V3.0) | |
| 2020/11/10 | Modicon M218/M241/M251/M258 Logic Controllers SoMachine/SoMachine Motion EcoStruxureâ„¢ Machine Expert |
CVE-2020-7487 CVE-2020-7488 |
Multiple Vulnerabilities | All versions | SEVD-2020-105-02 (V1.1) PDF | SEVD-2020-105-02 (V1.1) CSAF |
| 2020/10/13 |
Web Server on Modicon M340 Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules |
CVE-2020-7533 | CWE-287: Improper Authentication |
M340 CPUs M340 Communication Ethernet modules Premium processors with integrated Ethernet COPRO Premium communication modules Quantum processors with integrated Ethernet COPRO Quantum communication modules |
SEVD-2020-287-01 (V1.1) PDF | SEVD-2020-287-01 (V1.1) CSAF |
| 2020/10/13 |
Smartlink PowerTag Wiser Series Gateways |
CVE-2020-7548 | CWE-330 - Use of Insufficiently Random Values |
Acti9 Smartlink SI D all versions prior to 002.004.002 Acti9 Smartlink SI B all versions prior to 002.004.002 Acti9 PowerTag Link / Link HD all versions prior to 001.008.007 Acti9 Smartlink EL B all versions prior to 1.2.1 Wiser Link all versions prior to 1.5.0 Wiser Energy all versions prior to 1.5.0 |
SEVD-2020-287-03 PDF | SEVD-2020-287-03 CSAF |
| 2020/10/13 | EcoStruxureâ„¢ and SmartStruxureâ„¢ Power Monitoring and SCADA Software |
CVE-2020-7545 CVE-2020-7546 CVE-2020-7547 |
Multiple Vulnerabilities |
EcoStruxureâ„¢ Power Monitoring Expert versions 9.0, 8.x, 7.x EcoStruxureâ„¢ Energy Expert version 2.0 Power Manager versions 1.1, 1.2, 1.3 StruxureWareâ„¢ PowerSCADA Expert with Advanced Reporting and Dashboards Module versions 8.x EcoStruxureâ„¢ Power SCADA Operation with Advanced Reporting and Dashboards Module version 9.0 |
SEVD-2020-287-04 PDF | SEVD-2020-287-04 CSAF |
| 2020/10/13 | Netlogon Elevation of Privilege Vulnerability | CVE-2020-1472 | Multiple Vulnerabilities | Elevation of privilege vulnerability | SESB-2020-287-01 | |
| 2020/10/13 | Modbus Serial Driver | CVE-2020-7523 | CWE-269: Improper Privilege Management |
Schneider Electric Modbus Serial Driver (64 bits) versions prior to V3.20 IE 30 Schneider Electric Modbus Serial Driver (32 bits) versions prior to V2.20 IE 30 Schneider Electric Modbus Driver Suite versions prior to V14.15.0.0 |
SEVD-2020-224-01 (V1.1) PDF | SEVD-2020-224-01 (V1.1) CSAF |
| 2020/10/13 | SCADAPack 7x Remote Connect and SCADAPack x70 Security Administrator |
CVE-2020-7528 CVE-2020-7529 CVE-2020-7530 CVE-2020-7531 CVE-2020-7532 |
Multiple Vulnerabilities | SCADAPack 7x Remote Connect (V3.6.3.574 and prior) and SCADAPack x70 Security Administrator (V1.2.0 and prior) | SEVD-2020-252-01 (V2.0) PDF | SEVD-2020-252-01 (V2.0) CSAF |
| 2020/08/11 | spaceLYnk and Wiser for KNX (formerly homeLYnk) | CVE-2020-7525 | CWE-307: Improper Restriction of Excessive Authentication Attempts | All hardware versions of spaceLYnk and Wiser for KNX (formerly homeLYnk) | SEVD-2020-224-02 PDF | SEVD-2020-224-02 CSAF |
| 2020/08/11 | Modicon M218 Logic Controller | CVE-2020-7524 | CWE-787:Out-of-bounds Write | Modicon M218 Logic Controller V5.0.0.7 and prior | SEVD-2020-224-03 PDF | SEVD-2020-224-03 CSAF |
| 2020/08/11 | APC Easy UPS On-Line Software |
CVE-2020-7521 CVE-2020-7522 |
Multiple Vulnerabilities | SFAPV9601 - APC Easy UPS On-Line Software V2.0 and earlier | SEVD-2020-224-04 PDF | SEVD-2020-224-04 CSAF |
| 2020/08/11 | PowerChute Business Edition | CVE-2020-7526 | CWE-20: Improper Input Validation | PowerChute Business Edition software V9.0.x and earlier | SEVD-2020-224-05 PDF | SEVD-2020-224-05 CSAF |
| 2020/08/11 | Harmony® eXLhoist | CVE-2019-19193 | Bluetooth Low Energy Vulnerability (SweynTooth) | Harmony® eXLhoist base stations v04.00.02.00 and prior | SEVD-2020-224-06 PDF | SEVD-2020-224-06 CSAF |
| 2020/08/11 | SoMove | CVE-2020-7527 | CWE-276: Incorrect Default Permission | SoMove V2.8.1 and prior | SEVD-2020-224-07 PDF | SEVD-2020-224-07 CSAF |
| 2020/08/11 | Schneider Electric PACTware |
CVE-2020-9403 CVE-2020-9404 |
Multiple Vulnerabilities |
Schneider Electric PACTware V5.0.5.30 and prior. Schneider Electric PACTware V4.1 SP5 and prior. |
SEVD-2020-224-08 PDF | SEVD-2020-224-08 CSAF |
| 2020/08/11 | Vijeo Designer and Vijeo Designer Basic | CVE-2020-7501 | CWE-798: Use of Hard-coded Credentials |
Vijeo Designer Basic V1.1 HotFix 16 and prior Vijeo Designer V6.9 SP9 and prior |
SEVD-2020-133-02 (V1.1) PDF | SEVD-2020-133-02 (V1.1) CSAF |
| 2020/08/11 | Vijeo Designer and Vijeo Designer Basic | CVE-2020-7490 | CWE-426: Untrusted Search Path | Vijeo Designer Basic (V1.1 HotFix 15 and prior) and Vijeo Designer (V6.2 SP9 and prior) | SEVD-2020-105-03 (V1.2) PDF | SEVD-2020-105-03 (V1.2) CSAF |
| 2020/07/14 | Schneider Electric Software Update (SESU) | CVE-2020-7520 | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') | SESU V2.4.0 and earlier | SEVD-2020-196-01 PDF | SEVD-2020-196-01 CSAF |
| 2020/06/23 | Security Bulletin: Treck TCP/IP Vulnerabilities (Ripple20) |
CVE-2020-11896 CVE-2020-11897 CVE-2020-11898 CVE-2020-11899 CVE-2020-11900 CVE-2020-11901 CVE-2020-11902 CVE-2020-11903 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11908 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914 |
Multiple Vulnerabilities | See Security Bulletin | SESB-2020-168-01 (V2.0) | |
| 2020/06/23 | Legacy Triconex Product Vulnerabilities |
CVE-2020-7483 CVE-2020-7484 CVE-2020-7485 CVE-2020-7486 CVE-2020-7491 |
Multiple Vulnerabilities | See Security Bulletin | SESB-2020-105-01 (V2.1) | |
| 2020/06/09 | Modicon M218 Logic Controller | CVE-2020-7502 | CWE-787: Out-of-bounds Write Vulnerability | Modicon M218 firmware version 4.3 and prior | SEVD-2020-161-01 PDF | SEVD-2020-161-01 CSAF |
| 2020/06/09 | Unity Loader and OS Loader Software | CVE-2020-7498 | CWE-798: Use of Hard-coded Credentials |
Unity Loader - All versions OS Loader - All versions (used for legacy Modicon offers) |
SEVD-2020-161-02 | |
| 2020/06/09 | Modicon LMC078 Logic Controller | CVE-2020-10664 | NULL Pointer Dereference | Modicon LMC Logic Controller running with firmware version V1.51.15.05 and later | SEVD-2020-161-03 PDF | SEVD-2020-161-03 CSAF |
| 2020/06/09 | Easergy T300 |
CVE-2020-7503 CVE-2020-7504 CVE-2020-7505 CVE-2020-7506 CVE-2020-7507 CVE-2020-7508 CVE-2020-7509 CVE-2020-7510 CVE-2020-7511 CVE-2020-7512 CVE-2020-7513 |
Multiple Vulnerabilities | Easergy T300 with firmware 1.5.2. and older | SEVD-2020-161-04 PDF | SEVD-2020-161-04 CSAF |
| 2020/06/09 | Easergy Builder |
CVE-2020-7514 CVE-2020-7515 CVE-2020-7516 CVE-2020-7517 CVE-2020-7518 CVE-2020-7519 |
Multiple Vulnerabilities | Easergy Builder version 1.4.7.2 and older | SEVD-2020-161-05 PDF | SEVD-2020-161-05 CSAF |
| 2020/06/09 | GoAhead Web Server | CVE-2015-7937 | Stack-based buffer overflow |
BMXNOC0401 (all versions prior to v2.09) BMXNOE0100 (all versions prior to v3.10) BMXNOE0100H (all versions prior to v3.10) BMXNOE0110 (all versions prior to v6.30) BMXNOE0110H (all versions prior to v6.30) BMXNOR0200 (all versions prior to v1.70) BMXNOR0200H (all versions prior to v1.70) BMXP342020 (all versions prior to v2.80) BMXP342020H (all versions prior to v2.80) BMXP342030 (all versions prior to v2.80) BMXP3420302 (all versions prior to v2.80) BMXP3420302H (all versions prior to v2.80) BMXPRA0100 (all versions prior to v2.80) |
SEVD-2015-344-01 (V2.0) PDF | SEVD-2015-344-01 (V2.0) CSAF |
| 2020/05/12 | Pro-face GP-Pro EX Programming Software | CVE-2020-7492 | CWE-521: Weak Password Requirements | GP-Pro EX V1.00 to V4.09.100 | SEVD-2020-133-01 | |
| 2020/05/12 | U.motion Servers and Touch Panels |
CVE-2020-7499 CVE-2020-7500 |
Multiple Vulnerabilities |
All versions of: MTN6501-0001 – U.Motion – KNX Server, MTN6501-0002 – U.Motion – KNX Server Plus MTN6260-0410 – U.Motion KNX server Plus, Touch 10 MTN6260-0415 – U.Motion KNX server Plus, Touch 15 MTN6260-0310 – U.Motion KNX Client Touch 10 MTN6260-0315 – U.Motion KNX Client Touch 15 |
SEVD-2020-133-03 PDF | SEVD-2020-133-03 CSAF |
| 2020/05/12 | Andover Continuum System |
CVE-2020-7480 CVE-2020-7481 CVE-2020-7482 |
Multiple Vulnerabilities | All Continuum versions are affected | SEVD-2020-070-04 (V2.1) PDF | SEVD-2020-070-04 (V2.1) CSAF |
| 2020/05/12 | Embedded Web Servers for Modicon |
CVE-2018-7804 CVE-2018-7809 CVE-2018-7810 CVE-2018-7811 CVE-2018-7812 CVE-2018-7830 CVE-2018-7831 CVE-2018-7833 |
Multiple Vulnerabilities |
All Modicon M340, Premium Quantum PLCs BMXNOR0200 controllers |
SESB-2018-327-01 (V3.2) | |
| 2020/04/14 |
Modicon M100/M200/M221 controllers SoMachine Basic and EcoStruxure Machine Expert - Basic Programming Software |
CVE-2020-7489 | CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | All versions | SEVD-2020-105-01 PDF | SEVD-2020-105-01 CSAF |
| 2020/04/14 | Modicon Controllers, EcoStruxureâ„¢Control Expert and Unity Pro Programming Software | CVE-2019-6855 | CWE-285 Improper Authorization |
EcoStruxureâ„¢ Control Expert: all versions prior to 14.1 Hot Fix Unity Pro: all versions, Modicon M340: all versions prior to V3.20 Modicon M580: all versions prior to V3.10 |
SEVD-2019-344-02 (V2.0) | |
| 2020/03/10 | IGSS (Interactive Graphical SCADA System) |
CVE-2020-7478 CVE-2020-7479 |
Multiple Vulnerabilities | Versions 14 and prior using the service: IGSSupdate. | SEVD-2020-070-01 PDF | SEVD-2020-070-01 CSAF |
| 2020/03/10 | Modicon Quantum Ethernet Network module and Quantum / Premium COPRO | CVE-2020-7477 | CWE-754: Improper Check for Unusual or Exception Conditions |
Quantum Ethernet Network module 140NOE771x1, versions 7.0 and prior Quantum processors with integrated Ethernet – 140CPU65xxxxx, all versions Premium processors with integrated Ethernet, all versions |
SEVD-2020-070-02 PDF | SEVD-2020-070-02 CSAF |
| 2020/03/10 | ZigBee Installation Toolkit | CVE-2020-7476 | CWE-426: Untrusted Search Path | Versions prior to 1.0.1 | SEVD-2020-070-03 PDF | SEVD-2020-070-03 CSAF |
| 2020/02/11 | ProSoft Configurator for Modicon PMEPXM0100 (H) | CVE-2020-7474 | CWE-427: Uncontrolled Search Path Element | ProSoft Configurator v1.002 and prior, for the PMEPXM0100 (H) module | SEVD-2020-042-01 PDF | SEVD-2020-042-01 CSAF |
| 2020/02/11 | U.motion Builder Software |
CVE-2018-7763 CVE-2018-7764 CVE-2018-7765 CVE-2018-7766 CVE-2018-7767 CVE-2018-7768 CVE-2018-7769 CVE-2018-7770 CVE-2018-7771 CVE-2018-7772 CVE-2018-7773 CVE-2018-7774 CVE-2018-7776 CVE-2018-7777 CVE-2018-7494 |
Security Notification Updated | All versions prior to v1.3.4 | SEVD-2018-095-01 (V1.2) PDF | SEVD-2018-095-01 (V1.2) CSAF |
| 2020/01/28 | EcoStruxureâ„¢ Operator Terminal Expert | - | Security Bulletin | EcoStruxureâ„¢ Operator Terminal Expert software | SESB-2020-028-01 | |
| 2020/01/14 | MSX Configurator | CVE-2019-6858 | CWE-427:Uncontrolled Search Path Element | Software Version prior to V1.0.8.1 | SEVD-2020-014-01 PDF | SEVD-2020-014-01 CSAF |
