Recommended cybersecurity best practices
Stay informed about the latest security notifications
|
|
|
|
|
|
|
|
|---|---|---|---|---|---|---|
| 2023/03/14 | EcoStruxure™ Power Monitoring Expert | CVE-2023-28003 | CWE-613: Insufficient Session Expiration | EcoStruxure™ Power Monitoring Expert 2022 | SEVD-2023-073-01 PDF | SEVD-2023-073-01 CSAF |
| 2023/03/14 | PowerLogic™ HDPM6000 | CVE-2023-28004 | CWE-129: Improper Validation of an Array Index | PowerLogic™ HDPM6000 (Version 0.58.6 and prior) | SEVD-2023-073-02 PDF | SEVD-2023-073-02 CSAF |
| 2023/03/14 | IGSS (Interactive Graphical SCADA System) | CVE-2023-27977, CVE-2023-27978, CVE-2023-27979, CVE-2023-27980, CVE-2023-27981, CVE-2023-27982, CVE-2023-27983, CVE-2023-27984 | Multiple Vulnerabilities |
• IGSS Data Server (IGSSdataServer.exe) (V16.0.0.23040 and prior) • IGSS Dashboard (DashBoard.exe) (V16.0.0.23040 and prior) • Custom Reports (RMS16.dll) (V16.0.0.23040 and prior) |
SEVD-2023-073-04 PDF | SEVD-2023-073-04 CSAF |
| 2023/03/14 | EcoStruxure™ Control Expert, EcoStruxure™ Process Expert and Modicon M340, M580 and M580 CPU Safety | CVE-2022-45789 | Notification Updated: Modicon Momentum Unity M1E Process and Modicon MC80 were added to the impacted products with the mitigations. | EcoStruxure™ Process Expert (Versions prior to V2021) | SEVD-2023-010-06 (V2.0) PDF | SEVD-2023-010-06 (V2.0) CSAF |
| 2023/03/14 | EcoStruxure™ Control Expert, EcoStruxure™ Process Expert and Modicon PLCs (Programmable Logic Controllers) and PACs (Programmable Automation Controllers) | CVE-2022-0222 | Notification Updated: Remediation for EcoStruxure™ Control Expert, Modicon M580 CPU, and Momentum Unity M1E Processor are available for download. Additional mitigations for Modicon M340 were added. |
• EcoStruxure™ Control Expert (All Versions) • EcoStruxure™ Process Expert (Version V2020 & prior) • Modicon M340 CPU (part numbers BMXP34*) (All Versions) • Modicon M580 CPU (part numbers BMEP* and BMEH*) (All Versions) • Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) (All Versions) • Modicon Momentum Unity M1E Processor (171CBU*) (All Versions) • Modicon MC80 (BMKC80) (All Versions) • Legacy Modicon Quantum (140CPU65*) and Premium CPUs (TSXP57*) (All Versions) |
SEVD-2023-010-05 (V2.0) PDF | SEVD-2023-010-05 (V2.0) CSAF |
| 2023/03/14 | EcoStruxure™ Geo SCADA Expert | CVE-2023-22610, CVE-2023-22611 | Notification Updated: Adjustment of the deprecated CWE of the CVE-2023-22610. |
• EcoStruxure™ Geo SCADA Expert 2019, EcoStruxure™ Geo SCADA Expert 2020, EcoStruxure™ Geo SCADA Expert 2021 (All versions prior to October 2022) • ClearSCADA (All Versions) |
SEVD-2023-010-02 (V1.1) PDF | SEVD-2023-010-02 (V1.1) CSAF |
| 2023/03/14 | Modicon PAC Controllers | CVE-2021-22786 | Notification Updated: Remediation for the Modicon M580 CPU is available for download. |
• Modicon M340 CPU (part numbers BMXP34*) V3.30 and prior • Modicon M580 CPU (part numbers BMEP* and BMEH*) SV3.20 and prior • Modicon MC80 (BMKC80) V1.6 and prior • Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) (All versions) • Modicon Momentum MDI (171CBU*) V2.3 and prior • Legacy Modicon Quantum (All versions) |
SEVD-2022-221-04 (V4.0) PDF | SEVD-2022-221-04 (V4.0) CSAF |
| 2023/03/14 | Modicon PAC Controllers | CVE-2022-37301 | Notification Updated: A remediation is available for Modicon Momentum Unity M1E processor and for the Modicon M580 CPU. |
• Modicon M340 CPU (part numbers BMXP34*) (V3.40 and prior) • Modicon M580 CPU (part numbers BMEP* and BMEH*) (SV3.22 and prior) • Modicon M580 CPU Safety (part numbers BMEP584040S and BMEP586040S) (All Versions) • Legacy Modicon Quantum/Premium (All Versions) • Modicon Momentum MDI (171CBU*) (SV2.5 and prior) |
SEVD-2022-221-02 (V4.0) PDF | SEVD-2022-221-02 (V4.0) CSAF |
| 2023/03/14 | EcoStruxure™ Control Expert, EcoStruxure™ Process Expert, and Modicon Controllers M580 and M340 | CVE-2022-37300 | Notification Updated: Remediation for the Modicon M580 CPU is available for download. |
• EcoStruxure™ Control Expert Including all Unity Pro versions (former name of EcoStruxure™ Control Expert) V15.0 SP1 and prior • EcoStruxure™ Process Expert, Including all versions of EcoStruxure™ Hybrid DCS (former name of EcoStruxure™ Process Expert) (V2021 and prior) • Modicon M340 CPU (part numbers BMXP34*, V3.40 and prior) • Modicon M580 CPU (part numbers BMEP* and BMEH*, SV3.22 and prior) • Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S, All Versions) |
SEVD-2022-221-01 (V4.0) PDF | SEVD-2022-221-01 (V4.0) CSAF |
| 2023/03/14 | IGSS (Interactive Graphical SCADA System) | CVE-2022-32522, CVE-2022-32523, CVE-2022-32524, CVE-2022-32525, CVE-2022-32526, CVE-2022-32527, CVE-2022-32528, CVE-2022-32529 | Notification Updated: The CVE-2022-32528 description details have been clarified. | IGSS Data Server (IGSSdataServer.exe) Versions prior to Version 15.0.0.22139 | SEVD-2022-165-01 (V2.1) PDF | SEVD-2022-165-01 (V2.1) CSAF |
| 2023/03/14 | CODESYS V3 Runtime, Development System and Gateway Vulnerabilities | CVE-2021-29240, CVE-2021-29241, CVE-2021-21863, CVE-2021-21864, CVE-2021-21865, CVE-2021-21866, CVE-2021-21867, CVE-2021-21868, CVE-2021-21869, CVE-2021-33485 | Notification Updated: A remediation is available for HMISTU Series / HMIGTO Series / HMIGTU Series / HMIGTUX Series / HMIGK Series. |
• M241/M251 (All Versions) • EcoStruxure Machine Expert (All Versions) • Harmony/Magelis HMISTU Series, HMIGTO Series, HMIGTU Series, HMIGTUX Series, HMIGK Series, HMISCU Series, Vijeo Designer (V6.2 SP11 Hotfix 3 and prior) • Eurotherm E+PLC100 (All Versions) • Eurotherm E+PLC400 (V1.3.0.1 and prior) • Eurotherm E+PLC tools (V1.3.0.1 and prior) • Easy Harmony ET6 HMIET Series (Vijeo Designer Basic V1.2.1 and later) • Easy Harmony GXU HMIGXU Series (Vijeo Designer Basic V1.2.1 and later) |
SEVD-2022-011-06 (V6.0) PDF | SEVD-2022-011-06 (V6.0) CSAF |
| 2023/03/14 | BadAlloc Vulnerabilities | See Security Notification for specific CVEs. | Notification Updated: Remediations for the following products are now available: Easergy MiCOM P30 range models P139, P437, P439, P532, P631, P632, P633, P634, C434, Modicon M580 CPU part numbers BMEP* and BMEH, and Modicon Momentum Unity M1E Processor part numbers 171CBU*. Mitigations for Easergy MiCOM P30 range, models P138, P436, P438, P132, P433, P435 have been added. | See Security Notification for offer specific information. | SEVD-2021-313-05 (V17.0) PDF | SEVD-2021-313-05 (V17.0) CSAF |
| 2023/03/14 | Modicon PAC Controllers and PLC Simulator for EcoStruxure™ Control Expert and EcoStruxure™ Process Expert | CVE-2021-22789, CVE-2021-22790, CVE-2021-22791, CVE-2021-22792 | Notification Updated: A remediation is available for Modicon M580 CPU and Modicon Momentum Unity M1E Processor for CVE-2021-22789 (page 3), and update to the PLC Simulator user manual to reflect the mitigation. |
• Modicon M580 CPU (part numbers BMEP* and BMEH*, prior to SV3.20) • Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S, All Versions) • Modicon M340 CPU (part numbers BMXP34*, all versions) • Modicon MC80 (part numbers BMKC80*, all versions) • Modicon Momentum Ethernet CPU (part numbers 171CBU*, all versions) • PLC Simulator for EcoStruxure™ Control Expert, including all Unity Pro versions (All versions) • PLC Simulator for EcoStruxure™ Process Expert including all HDCS versions (All versions) • Modicon Quantum CPU (part numbers 140CPU*, All versions) • Modicon Premium CPU (part numbers TSXP5*, All versions) |
SEVD-2021-222-04 (V4.0) PDF | SEVD-2021-222-04 (V4.0) CSAF |
| 2023/03/14 | EcoStruxure™ Control Expert, EcoStruxure™ Process Expert, SCADAPack RemoteConnect™ x70, and Modicon Controllers M580 and M340 | CVE-2021-22778, CVE-2021-22779, CVE-2021-22780, CVE-2021-22781, CVE-2021-22782, CVE-2020-12525 | Notification Updated: Remediation for the Modicon M580 CPU is available for download. |
• EcoStruxure™ Control Expert (V15.1, V15.0 SP1, All versions prior to V15.0 SP1 including all versions of Unity Pro) • EcoStruxure™ Process Expert (V2021, All versions including all versions of EcoStruxure Hybrid DCS) • SCADAPack RemoteConnect™ for x70 (All versions) • Modicon M580 CPU (Prior to V3.20 - part numbers BMEP* and BMEH*) • Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S, All Versions) • Modicon M340 CPU (versions prior to V3.50 - part numbers BMXP34*) |
SEVD-2021-194-01 (V8.0) PDF | SEVD-2021-194-01 (V8.0) CSAF |
| 2023/03/14 | ISaGRAF Vulnerabilities in IEC 61131-3 Programming and Engineering Tools | CVE-2020-25176, CVE-2020-25178, CVE-2020-25182, CVE-2020-25184, CVE-2020-25180 | Notification Updated: A remediation is available for SCD2200 product. |
• Easergy T300 • Easergy C5 • MiCOM C264 • PACiS GTW • EPAS GTW • SCADAPack 300E RTU • SCADAPack 53xE RTU • SCADAPack Workbench • SCD2200 Firmware for CP-3/MC-31 • SAGE RTU (C3414 CPU, C3413 CPU, C3412 CPU) • Talus T4e Mk 1 (A18.xx Firmware (all)) T4e Mk II and T4c (A19.08 Firmware and prior) |
SEVD-2021-159-04 (V5.0) PDF | SEVD-2021-159-04 (V5.0) CSAF |
| 2023/03/14 | Modicon Controllers | CVE-2019-6843, CVE-2019-6844, CVE-2019-6846, CVE-2019-6847, CVE-2019-6841, CVE-2019-6842 | Notification Updated: Remediation for the Modicon M580 CPU is available for download. |
• Modicon M580 (Versions prior to SV3.20) • Modicon M580 CPU Safety Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S, All versions) • Modicon M340 (all versions) • Modicon BMxCRA and 140CRA modules (all versions) |
SEVD-2019-281-02 (V6.0) PDF | SEVD-2019-281-02 (V6.0) CSAF |
| 2023/03/14 | Modicon Controllers | CVE-2018-7846, CVE-2018-7849, CVE-2018-7843, CVE-2018-7848, CVE-2018-7842, CVE-2018-7847, CVE-2018-7850, CVE-2018-7845, CVE-2018-7852, CVE-2018-7853, CVE-2018-7854, CVE-2018-7855, CVE-2018-7856, CVE-2018-7857, CVE-2019-6806, CVE-2019-6807, CVE-2019-6808, CVE-2018-7844, CVE-2019-6830, CVE-2019-6828, CVE-2019-6829, CVE-2019-6809 | Notification Updated: A remediation is available for Modicon Momentum Unity M1E Processor part numbers 171CBU* for CVE-2018-7857 and CVE-2019-6807. |
• Modicon M580 • Modicon M340 • Modicon MC80 • Modicon Momentum • Modicon Quantum • Modicon Premium • PLC Simulator for EcoStruxure™ Control Expert |
SEVD-2019-134-11 (V9.0) PDF | SEVD-2019-134-11 (V9.0) CSAF |
| 2023/03/14 | Embedded FTP Servers for Modicon PAC Controllers | CVE-2018-7240, CVE-2018-7241, CVE-2018-7242 | Notification Updated: Remediation for the Modicon M580 CPU is available for download. | • Modicon M340 (All versions) • Modicon M580 (All versions) • Modicon M580 CPU Safety Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S, All versions) • Modicon BMxCRA and 140CRA modules (All versions) | SEVD-2018-081-01 (V7.0) PDF | SEVD-2018-081-01 (V7.0) CSAF |
| 2023/02/14 | EcoStruxure™ Geo SCADA Expert | CVE-2023-0595 | A CWE-117: Improper Output Neutralization for Logs vulnerability. | EcoStruxureTM Geo SCADA Expert 2019, EcoStruxureTM Geo SCADA Expert 2020, EcoStruxureTM Geo SCADA Expert 2021 (All Versions prior to October 2022) • ClearSCADA (All Versions) | SEVD-2023-045-01 PDF | SEVD-2023-045-01 CSAF |
| 2023/02/14 | StruxureWare Data Center Expert | CVE-2023-25547, CVE-2023-25548, CVE-2023-25549, CVE-2023-25550, CVE-2023-25551, CVE-2023-25552, CVE-2023-25553, CVE-2023-25555 | Multiple Vulnerabilities | StruxureWare Data Center Expert (7.9.2 and earlier) | SEVD-2023-045-02 PDF | SEVD-2023-045-02 CSAF |
| 2023/02/14 | Merten KNX Devices | CVE-2023-25556 | A CWE-287: Improper Authentication vulnerability. | Merten INSTABUS Tastermodul 1fach System M 625199 (Program Version 1.0) • Merten INSTABUS Tastermodul 2fach System M 625299 (Program Version 1.0) • Merten Tasterschnittstelle 4fach plus 670804 (Program Version 1.0 & 1.2) • Merten KNX ARGUS 180/2,20M UP SYSTEM 631725 (Program Version 1.0) • Merten Jalousie-/Schaltaktor REG-K/8x/16x/10 m. HB 649908 (Product discontinued) (Program Version 1.0) • Merten KNX Uni-Dimmaktor LL REG-K/2x230/300 W MEG6710-0002 (Product discontinued) (Program Version 1.0 & 1.1) • Merten KNX Schaltakt.2x6A UP m.2 Eing. MEG6003-0002 (Product discontinued) (Prgram Version 0.1) | SEVD-2023-045-03 PDF | SEVD-2023-045-03 CSAF |
| 2023/02/14 | NetBotz 4 -355/450/455/550/570 | CVE-2022-43376, CVE-2022-43377, CVE-2022-43378 | Multiple Vulnerabilities | NetBotz 4 -355/450/455/550/570 (V4.7.0 and earlier) | SEVD-2022-312-01 (V2.0) PDF | SEVD-2022-312-01 (V2.0) CSAF |
| 2023/02/14 | Modicon M340 Controller and Communication Modules | CVE-2022-0222 | Notification Updated: A remediation is available for Modicon M340 Ethernet Communication Modules BMXNOE0100 (H) and BMXNOE0110 (H). | Modicon M340 CPUs (BMXP34* versions prior to V3.40) and Modicon M340 X80 Ethernet Communication Modules BMXNOR0200H RTU (prior to V1.7 IR24) | SEVD-2022-102-02 (V3.0) PDF | SEVD-2022-102-02 (V3.0) CSAF |
| 2023/02/14 | Web Server on Modicon M340, Legacy Offers Modicon Quantum and Premium and Associated Communication Modules | CVE-2021-22785, CVE-2021-22788, CVE-2021-22787 | Notification Updated: A remediation is available for Modicon M340 Ethernet Communication Modules BMXNOE0100 (H) and BMXNOE0110 (H). | • Modicon M340 CPUs (BMXP34* versions prior to V3.40) • Modicon M340 X80 Ethernet Communication modules BMXNOC0401 prior to V2.11, BMXNOR0200H RTU prior to V1.70 IR24) • Modicon Premium Processors with Integrated Ethernet COPRO (TSXP574634 all versions, TSXP575634 all versions, TSXP576634 all versions) • Modicon Quantum Processors with Integrated Ethernet COPRO (140CPU65xxxxx all versions) • Modicon Quantum Communication Modules (140NOE771x1 all versions, 140NOC78x00 all versions, 140NOC77101 all versions) • Modicon Premium Communication Modules (TSXETY4103 all versions, TSXETY5103 all versions) | SEVD-2021-257-02 (V3.0) PDF | SEVD-2021-257-02 (V3.0) CSAF |
| 2023/02/14 | NicheStack TCP/IP Vulnerabilities (INFRA:HALT) in Lexium ILE, ILA, ILS, and Communication Option Boards for Altivar and Lexium32 drives | CVE-2021-31400, CVE-2021-31401, CVE-2020-35683, CVE-2020-35684, CVE-2020-35685 | Notification Updated: A remediation is available for Altivar 32/320/340/600/900 Profinet communication module (VW3A3627). | • Lexium ILE ILA ILS firmware version (V01.110 and prior) | SEVD-2021-217-01 (V4.0) PDF | SEVD-2021-217-01 (V4.0) CSAF |
| 2023/02/14 | Modicon Web Server | CVE-2020-7562, CVE-2020-7563, CVE-2020-7564 | Notification Updated: A remediation is available on Modicon M340 Ethernet Communication Modules BMXNOE0100 (H) and BMXNOE0110 (H). | • Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) | SEVD-2020-315-01 (V4.0) PDF | SEVD-2020-315-01 (V4.0) CSAF |
| 2023/01/10 | EcoStruxure™ Machine Expert – HVAC (formerly SoMachine - HVAC) | CVE-2022-2988 | A CWE-787: Out-of-bounds Write vulnerability. | • SoMachine - HVAC (Version 2.1.0 and prior)• EcoStruxure™ Machine Expert – HVAC (Version 1.4.0 and prior) | SEVD-2023-010-01 PDF | SEVD-2023-010-01 CSAF |
| 2023/01/10 | EcoStruxure™ Power Operation 2021, EcoStruxure™ Power SCADA Operation 2020 and EcoStruxure™ Power SCADA Operation 2020 R2 | CVE-2022-38138 | A CWE-824: Access of uninitialized Pointer vulnerability. | • EcoStruxure™ Power SCADA Operation 2020 (Version 2020 and 2020 CU1) • EcoStruxure™ Power SCADA Operation 2020 R2 (Version 2020 R2 and 2020 R2 CU1, 2020 R2 CU2, and 2020 R2 CU3) • EcoStruxure™ Power Operation 2021 (Version 2021, 2021 CU1, 2021 CU2 and 2021 CU3) • Power SCADA Operation (Version 9.0)• PowerSCADA Expert (Version 8.x) | SEVD-2023-010-03 PDF | SEVD-2023-010-03 CSAF |
| 2023/01/10 | EcoStruxure™ Power SCADA Anywhere | CVE-2022-1467 | A CWE-668: Exposure of Resource to Wrong Sphere vulnerability. | • EcoStruxure™ Power SCADA Anywhere (Versions 2022, 2021, 2020 R2, 2020, 9.0, 8.x) | SEVD-2023-010-04 PDF | SEVD-2023-010-04 CSAF |
| 2023/01/11 | Easy UPS Online Monitoring Software | CVE-2022-42970, CVE-2022-42971, CVE-2022-42973, CVE-2022-42972 | Notification Updated: The Easy UPS Online Monitoring Software has been separated by the APC and Schneider Electric brand names. | • APC Easy UPS Online Monitoring Software (V2.5-GA and prior (Windows 7, 10, 11 Windows Server 2016, 2019, 2022) (V2.5-GA-01-22261 and prior (Windows 11, Windows Server 2019, 2022)) • Schneider Electric Easy UPS Online Monitoring Software (V2.5-GA and prior (Windows 7, 10, 11 Windows Server 2016, 2019, 2022) (V2.5-GA-01-22261 and prior (Windows 11, Windows Server 2019, 2022)) | SEVD-2022-347-01 (V2.0) PDF | SEVD-2022-347-01 (V2.0) CSAF |
| 2022/12/13 | Saitel DR RTU | CVE-2020-6996 | CWE-787: Out-of-bounds write vulnerability. | SAITEL DR RTU (Firmware from Baseline_11.06.01 to Baseline_11.06.14) | SEVD-2022-347-02 PDF | SEVD-2022-347-02 CSAF |
| 2022/12/13 | EcoStruxure Power Commission | CVE-2022-4062 | A CWE-285: Improper Authorization vulnerability. | EcoStruxure Power Commission (V2.25 and prior versions) | SEVD-2022-347-03 PDF | SEVD-2022-347-03 CSAF |
| 2022/11/22 | APC Smart-UPS SMT, SMC, SMX, SCL, SRC, XU, XP, CSH2, SURTD, SMTL, SRT, and select SRTL Series | CVE-2022-22805, CVE-2022-22806, CVE-2022-0715 | Notification Updated: In the Affected Products and Versions section, new series IDs were added to SMT, SMC, and SMX. Added CSH2 to the available remediations sections. Added mitigations for products with the specified IDs that have been phased out and will not have firmware remediation. | APC Smart-UPS Family and SmartConnect Family (see Security Notification for affected series and versions) | SEVD-2022-067-02 (V7.0) PDF | SEVD-2022-067-02 (V7.0) CSAF |
| 2022/11/08 | EcoStruxure EV Charging Expert | CVE-2022-22807, CVE-2022-22808 | Notification Updated: The CWE for CVE-2022-22808 has been updated. No additional action is required for customers who have already followed the remediation instructions. | EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML (All Versions prior to SP8 (Version 01)V4.0.0.13) | SEVD-2022-039-02 (V2.0) PDF | SEVD-2022-039-02 (V2.0) CSAF |
| 2022/11/08 | homeLYnk (Wiser For KNX) and spaceLYnk | CVE-2021-22732, CVE-2021-22733, CVE-2021-22734, CVE-2021-22735, CVE-2021-22736, CVE-2021-22737, CVE-2021-22738, CVE-2021-22739, CVE-2021-22740 | Notification Updated: The CWE for CVE-2021-22737 has been updated. No additional action is required for customers who have already followed the remediation instructions provided. | homeLYnk (Wiser For KNX) and spaceLYnk (V2.60 and prior) | SEVD-2021-130-04 (V2.0) PDF | SEVD-2022-130-04 (V2.0) CSAF |
| 2022/11/08 | C-Bus Toolkit and C-Gate Server | CVE-2021-22716, CVE-2021-22717, CVE-2021-22718, CVE-2021-22719, CVE-2021-22720, CVE-2021-22748, CVE-2021-22796 | Notification Updated: The CWE for CVE-2021-22716 has been updated. No additional action is required for customers who have already followed the remediation instructions provided. | C-Bus Toolkit V1.15.9 and prior, C-Gate Server 2.11.7 and prior | SEVD-2021-103-01 (V4.0) PDF | SEVD-2021-103-01 (V4.0) CSAF |
| 2022/10/14 | EcoStruxure™ Power Operation 2021, EcoStruxure™ Power SCADA Operation 2020 and EcoStruxure™ Power SCADA Operation 2020 R2 | CVE-2022-22727 | Notification Updated: There is an update to the EcoStruxure™ Power SCADA Operation 2020 remediation advising customers to move to 2020 R2 instead of 2020 CU2. | EcoStruxure™ Power SCADA Operation 2020 Version 2020 and 2020 CU1 (Version 2020 and 2020 CU1) • EcoStruxure™ Power SCADA Operation 2020 R2 (Version 2020 R2 Prior to CU1) • EcoStruxure™ Power Operation 2021 (Version 2021, 2021 CU1 and 2021 CU2) | SEVD-2022-284-04 (V1.1) PDF | SEVD-2022-284-04 (V1.1) CSAF |
| 2022/10/11 | EcoStruxure™ Operator Terminal Expert and Pro-face BLUE | CVE-2022-41666, CVE 2022-41667, CVE-2022-41668, CVE-2022-41669, CVE-2022-41670, CVE-2022-41671 | Multiple Vulnerabilities | • EcoStruxure™ Operator Terminal Expert (V3.3 Hotfix 1 or prior) • Pro-face BLUE (V3.3 Hotfix1 or prior) | SEVD-2022-284-01 (PDF) | SEVD-2022-284-01 (CSAF) |
| 2022/10/11 | EcoStruxure™ Panel Server Box (PAS900) | CVE-2022-30790, CVE-2022-30552 | Multiple Vulnerabilities | EcoStruxure™Panel Server Box (PAS900) (V3.1.16 and prior) | SEVD-2022-284-02 (PDF) | SEVD-2022-284-02 (CSAF) |
| 2022/10/11 | ISaGRAF Workbench for SAGE RTU | CVE-2022-2463, CVE-2022-2464, CVE-2022-2465 | Multiple Vulnerabilities | SAGE RTU C3414 CPU (Current) with optional ISaGRAF software versions prior to 6.6.10 (All firmware versions prior to C3414-500-S02K5_P5) • SAGE RTU C3413, C3412 CPU (Obsolete CPUs) with optional ISaGRAF software versions prior to 6.6.10 (All firmware versions) | SEVD-2022-284-03 (PDF) | SEVD-2022-284-03 (CSAF) |
| 2022/10/11 | Apache Log4j Vulnerability (Log4Shell) | CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, CVE-2021-44832 | Notification Updated: A remediation is now available for Netbotz 750/755. | Schneider Electric is aware of the vulnerabilities impacting Apache Log4j, including CVE-2021-44228, also known as Log4Shell. Our cybersecurity team is actively investigating the impact of the vulnerability on Schneider Electric offers and will continuously update this notification as information becomes available. | SESB-2021-347-01 (V14.0) PDF | SESB-2021-347-01 (V14.0) (CSAF) |
| 2022/09/13 | EcoStruxure Machine SCADA Expert and Pro-face BLUE Open Studio | N/A | Deserialization of Untrusted Data vulnerability exists that can lead to arbitrary code execution, information disclosure, or denial of services when the project file is loaded. | • EcoStruxure Machine SCADA Expert 2020 Service Pack 2 (V20.0.2 or prior) • BLUE Open Studio 2020 Service Pack 2 (V20.0.2 or prior) | SEVD-2022-256-01 PDF | SEVD-2022-256-01 CSAF |
| 2022/09/13 | Wind River VxWorks Vulnerabilities (URGENT/11) | CVE-2019-12256, CVE-2019-12257, CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263, CVE-2019-12258, CVE-2019-12259, CVE-2019-12262, CVE-2019-12264, CVE-2019-12265 | Notification Updated: CANopen X80 Communication Module (BMECXM0100) and Profibus Remote Master (TCSEGPA23F14F) added to the list of affected products, along with their final mitigations. | See Security Bulletin for offer specific information. | SESB-2019-214-01 (V2.14) PDF | SESB-2019-214-01 CSAF |
| 2022/09/13 | Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and Associated Communication Modules | CVE-2020-7549 | Notification Updated: A fix is available for Modicon M340 X80 Ethernet Communication Module BMXNOC0401. | • Modicon M340 CPUs (BMXP34* versions prior to V3.30) • Modicon M340 Ethernet Communication modules (BMXNOE0100 (H) versions prior to V3.4, BMXNOE0110 (H) versions prior to V6.5, BMXNOC0401 (H) all versions) • Modicon Quantum communication modules (140NOE771x1 versions prior to V7.3, 140NOC78x00 all versions, 140NOC77101 all versions) • Modicon Quantum processors with integrated Ethernet COPRO (140CPU65xx0 all versions) • Modicon Premium communication modules (TSXETY4103 all versions, TSXETY5103 all versions) • Modicon Premium processors with integrated Ethernet COPRO (TSXP574634 all versions, TSXP575634 all versions, TSXP576634 all versions) | SEVD-2020-343-06 (V2.0) PDF | SEVD-2020-343-06 CSAF |
| 2022/09/13 | Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and Associated Communication Modules | CVE-2020-7535 | Notification Updated: A remediation is available for ModiconM340 X80 Ethernet Communication Modules BMXNOC0401. | Modicon M340 • Modicon Premium • Modicon Quantum | SEVD-2020-343-05 (V3.0) PDF | SEVD-2020-343-05 CSAF |
| 2022/09/13 | SNMP Service on Modicon M340 and Associated Communication Modules | CVE-2020-7536 | Notification Updated: A remediation is available for Modicon M340 X80 Ethernet Communication module BMXNOC0401. | • Modicon M340 CPUs (BMXP34* versions prior to V3.30) • Modicon M340 Communication Ethernet modules (BMXNOC0401 versions prior to V2.11BMXNOE0100 (H) versions prior to V3.4, BMXNOE0110 (H) versions prior to V6.6, BMXNOR0200H V1.7 IR22) | SEVD-2020-343-07 (V2.1) PDF | SEVD-2020-343-07 CSAF |
| 2022/08/19 | OPC UA and X80 advanced RTU Modicon Communication Modules | CVE-2022-34759, CVE-2022-34760, CVE-2022-34761, CVE-2022-34762, CVE-2022-34763, CVE-2022-34764, CVE-2022-34765 | Notification Updated: There is a remediation for the X80 Advanced RTU Communication Module (BMENOR2200). | • OPC UA Modicon Communication Module (BMENUA0100) V1.10 and prior • X80 advanced RTU Communication Module (BMENOR2200H) V1.0 • X80 advanced RTU Communication Module (BMENOR2200H) V2.01 and later | SEVD-2022-193-01 (V3.0) PDF | SEVD-2022-193-01 (V3.0) CSAF |
| 2022/08/09 | Treck TCP/IP Vulnerabilities (Ripple20) | CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, CVE-2020-11899, CVE-2020-11900, CVE-2020-11901, CVE-2020-11902, CVE-2020-11903, CVE-2020-11904, CVE-2020-11905, CVE-2020-11906, CVE-2020-11907, CVE-2020-11908, CVE-2020-11909, CVE-2020-11910, CVE-2020-11911, CVE-2020-11912, CVE-2020-11913, CVE-2020-11914 | Notification Updated - A remediation is available for the ATV6000 Medium Voltage Altivar Process Drive. | See Security Notification | SEVD-2020-175-01 (V2.18) PDF | SEVD-2020-175-01 (V2.18) CSAF |
| 2022/08/09 | EcoStruxure™ Control Expert | CVE-2022-37302 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability. | EcoStruxure™ Control Expert (V15.1 HF001 and prior) | SEVD-2022-221-03 PDF | SEVD-2022-221-03 CSAF |
| 2022/07/12 | SpaceLogic C-Bus Home Controller, formerly known as C-Bus Wiser Home Controller MK2 | CVE-2022-34753 | A CWE-78: Improper Neutralizationof Special Elements used in an OS Command ('OS Command Injection') | SpaceLogic C-Bus Home Controller (5200WHC2), formerly known as C-Bus Wiser Homer Controller MK2 V1.31.460 and prior | SEVD-2022-193-02 PDF | SEVD-2022-193-02 CSAF |
| 2022/07/12 | Acti9 PowerTag Link C | CVE-2022-34754 | CWE-269: Improper Privilege Management | • Acti9 PowerTag Link C (A9XELC10-A) V1.7.5 and prior • Acti9 PowerTag Link C (A9XELC10-B) V2.12.0 and prior | SEVD-2022-193-03 PDF | SEVD-2022-193-03 CSAF |
| 2022/07/12 | Easergy P5 | CVE-2022-34756, CVE-2022-34757, CVE-2022-34758 | Multiple Vulnerabilities | Easergy P5 Firmware V01.401.102 and prior | SEVD-2022-193-04 PDF | SEVD-2022-193-04 CSAF |
| 2022/07/12 | IGSS (Interactive Graphical SCADA System) | CVE-2022-24324, CVE-2022-2329 | Notification Updated: An additional vulnerability, CVE-2022-2329, was remediated with the released patch. | IGSS Data Server (V15.0.0.22073 and prior) | SEVD-2022-102-01 (V2.0) PDF | SEVD-2022-102-01 (V2.0) CSAF |
| 2022/07/12 | AT&T Labs Compressor (XMill) and Decompressor (XDemill) used by EcoStruxure™ Control Expert, EcoStruxure™ Process Expert and SCADAPack RemoteConnect™ for x70 | CVE-2021-21810, CVE-2021-21811, CVE-2021-21812, CVE-2021-21813, CVE-2021-21814, CVE-2021-21815, CVE-2021-21825, CVE-2021-21826, CVE-2021-21827, CVE-2021-21828, CVE-2021-21829, CVE-2021-21830, CVE-2022-26507 | Notification Updated: A release is available for SCADAPack RemoteConnect™ R2.7.3 that addresses workstation vulnerabilities. | • EcoStruxure™ Control Expert (All versions prior to V15.1 HF001 including former Unity Pro) • EcoStruxure™ Process Expert (All versions prior to V2021 including former HDCS) • SCADAPack RemoteConnect™ for x70 (All versions) | SEVD-2021-222-02 (V4.0) PDF | SEVD-2021-222-02 (V4.0) CSAF |
| 2022/07/12 | EcoStruxure™ Control Expert, EcoStruxure™ Process Expert, SCADAPack RemoteConnect™ for x70 | CVE-2021-22797 | Notification Updated: A release is available for SCADAPack RemoteConnect™ R2.7.3 that addresses workstation vulnerabilities. | • EcoStruxure™ Control Expert (All versions including former Unity Pro) • EcoStruxure™ Process Expert (All versions including former HDCS) • SCADAPack RemoteConnect™ for x70 (All versions) | SEVD-2021-257-01 (V3.0) PDF | SEVD-2021-257-01 (V3.0) CSAF |
| 2022/06/16 | Data Center Expert | CVE-2022-32518, CVE-2022-32519, CVE-2022-32520, CVE-2022-32521 | Notification Updated: Affected versions updated to include V7.9.0, remediation guidance updated for clarity. | Data Center Expert V7.9.0 and prior | SEVD-2022-165-04 (V2.0) PDF | SEVD-2022-165-04 (V2.0) CSAF |
| 2022/06/14 | Geo SCADA Mobile | CVE-2022-32530 | CWE-668: Exposure of Resource to Wrong Sphere | Geo SCADA Mobile Version Build 222 and prior | SEVD-2022-165-02 PDF | SEVD-2022-165-02 CSAF |
| 2022/06/14 | Conext™ Combox | CVE-2022-32515, CVE-2022-32516, CVE-2022-32517 | Multiple Vulnerabilities | Conext™ ComBox All Versions | SEVD-2022-165-03 PDF | SEVD-2022-165-03 CSAF |
| 2022/06/14 | EcoStruxure Power Commission | CVE-2022-0223, CVE-2022-22731, CVE-2022-22732 | Multiple Vulnerabilities | EcoStruxure Power Commission Versions prior to V2.22 | SEVD-2022-165-05 PDF | SEVD-2022-165-05 CSAF |
| 2022/06/14 | Schneider Electric C-Bus Home Automation Products | CVE-2022-32513, CVE-2022-32514 | Multiple Vulnerabilities | • Schneider Electric C-Bus Network Automation Controller - LSS5500NAC V1.10.0 and prior • Schneider Electric Wiser for C-Bus Automation Controller - LSS5500SHAC V1.10.0 and prior • Clipsal C-Bus Network Automation Controller - 5500NAC V1.10.0 and prior • Clipsal Wiser for C-Bus Automation Controller - 5500SHAC V1.10.0 and prior • SpaceLogic C-Bus Network Automation Controller - 5500NAC2 V1.10.0 and prior • SpaceLogic C-Bus Application Controller - 5500AC2 V1.10.0 and prior | SEVD-2022-165-06 PDF | SEVD-2022-165-06 CSAF |
| 2022/06/14 | CanBRASS | CVE-2022-32512 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer | CanBRASS Versions prior to V7.5.1 | SEVD-2022-165-07 PDF | SEVD-2022-165-07 CSAF |
| 2022/06/14 | EcoStruxure™ Cybersecurity Admin Expert | CVE-2022-32747, CVE-2022-32748 | Multiple Vulnerabilities | EcoStruxure™ Cybersecurity Admin Expert(CAE) Versions 2.2 and prior | SEVD-2022-165-08 PDF | SEVD-2022-165-08 CSAF |
| 2022/06/14 | EcoStruxure Power Build - Rapsody | CVE-2021-22697, CVE-2021-22698 | Notification Update: These vulnerabilities have been fixed in V2.1.3. | EcoStruxure Power Build - Rapsody software V2.1.13 and prior | SEVD-2021-012-02 (V2.0) PDF | SEVD-2021-012-02 (V2.0) CSAF |
| 2022/06/14 | EcoStruxure™ Control Expert, EcoStruxure™ Process Expert, SCADAPack RemoteConnect™ for x70 | CVE-2022-24322, CVE-2022-24323 | Notification Updated: Added SCADAPack RemoteConnect™ to the list of affected products, which is impacted on versions prior to R2.7.3 through the integration of EcoStruxure™ Control Expert. | • EcoStruxure™ Control Expert Version 15.0 SP1 and prior • EcoStruxure™ Process Expert Version 2021 and prior • SCADAPack RemoteConnect™ for x70 All Versions prior to R2.7.3 | SEVD-2022-067-01 (V2.0) PDF | SEVD-2022-067-01 (V2.0) CSAF |
| 2022/05/10 | PowerLogic ION Setup | CVE-2022-30232 | CWE-20: Improper Input Validation | PowerLogic ION Setup Versions prior to 3.2.22096.01 | SEVD-2022-130-01 PDF | SEVD-2022-130-01 CSAF |
| 2022/05/10 | Saitel DP RTU | CVE-2022-6996 | CWE-787: Out-of-bounds Write | Saitel DP RTU Firmware Version Baseline_09.00.00 to Baseline_11.06.23 | SEVD-2022-130-02 PDF | SEVD-2022-130-02 CSAF |
| 2022/05/10 | Wiser Smart | CVE-2022-30234, CVE-2022-30235, CVE-2022-30238, CVE-2022-30236, CVE-2022-30237, CVE-2022-30233 | Multiple Vulnerabilities | Wiser Smart EER21000 V4.5 and prior and Wiser Smart EER21001 V4.5 and prior | SEVD-2022-130-03 PDF | SEVD-2022-130-03 CSAF |
| 2022/05/10 | APC by Schneider Electric Network Management Cards (NMC) and NMC Embedded Devices | CVE-2021-22810, CVE-2021-22811, CVE-2021-22812, CVE-2021-22813, CVE-2021-22814, CVE-2021-22815 | Notification Updated: Remediations added for remaining affected products: APC Power Distribution products, Cooling products, Environmental Monitoring products, and Battery Management products. | Network Management Card 2 (NMC2), Network Management Card 3 (NMC3), and the NMC embedded devices including: • Uninterruptible Power Supply (UPS) products • APC Power Distribution products • Cooling products •Environmental Monitoring • Battery Management products. See notification for specific affected product and version details. | SEVD-2021-313-03 (V2.0) PDF | SEVD-2021-313-03 (V2.0) CSAF |
| 2022/04/13 | APT Cyber Tools Targeting ICS/SCADA Devices Security Bulletin | Schneider Electric, working in close collaboration with the United States Department of Energy, Homeland Security, and cybersecurity defense partner, Mandiant, identified and developed protective measures to defend against APT (Advanced Persistent Threat) Cyberattack Tools/Framework still in development that would target a set of our Programmable Logic Controllers (PLCs) products. | SESB-2022-01 | |||
| 2022/03/28 | SCADAPack Workbench | CVE-2022-0221 | CWE-611: Improper Restriction of XML External Entity Reference | SCADAPack Workbench (6.6.8a and prior) | SEVD-2022-087-01 | SEVD-2022-087-01 CSAF |
| 2022/03/08 | Ritto Wiser™ Door | CVE-2021-22783 | CWE-200: Information Exposure | Ritto Wiser™ Door (All versions) | SEVD-2022-067-03 | SEVD-2022-067-03 CSAF |
| 2022/03/08 | Windows Print Spooler Embedded in EcoStruxure™ Process Expert | CVE-2021-34527, CVE-2021-1675 | Notification Updated - EcoStruxure™ Process Expert 2021 includes a fix for these vulnerabilities | EcoStruxure™ Process Expert (All versions prior to V2021) | SEVD-2021-313-04 (V2.0) | SEVD-2021-313-04 (V2.0) CSAF |
| 2022/02/08 | IGSS (Interactive Graphical SCADA System) | CVE-2022-24310, CVE-2022-24311, CVE-2022-24312, CVE-2022-24313, CVE-2022-24314, CVE-2022-24315, CVE-2022-24316, CVE-2022-24317 | Multiple Vulnerabilities | IGSS Data Server: IGSSdataServer.exe (V15.0.0.22020 and prior) | SEVD-2022-039-01 | SEVD-2022-039-01 CSAF |
| 2022/02/08 | Easergy P40 | CVE-2022-22813 | CWE-798: Use of Hard-coded Credentials | Easergy P40 Series model numbers with Ethernet option bit as Q, R, S (All PX4X firmware versions) | SEVD-2022-039-03 | SEVD-2022-039-03 CSAF |
| 2022/02/08 | spaceLYnk, Wiser For KNX, fellerLYnk | CVE-2022-22809, CVE-2022-22810, CVE-2022-22811, CVE-2022-22812 | Multiple Vulnerabilities | • spaceLYnk (V2.6.2 and prior), • Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), • fellerLYnk (V2.6.2 and prior) | SEVD-2022-039-04 | SEVD-2022-039-04 CSAF |
| 2022/02/08 | EcoStruxure Geo SCADA Expert | CVE-2022-24318, CVE-2022-24319, CVE-2022-24320, CVE-2022-24321 | Multiple Vulnerabilities | • ClearSCADA (All Versions) • EcoStruxure GeoSCADA Expert 2019 (All Versions) • EcoStruxure Geo SCADA Expert 2020 (All Versions) | SEVD-2022-039-05 | SEVD-2022-039-05 CSAF |
| 2022/02/08 | Harmony/Magelis iPC SeriesHMI, Vijeo Designerand Vijeo Designer Basic | CVE-2021-22817 | A CWE-276: Incorrect Default Permissions | • Harmony/Magelis iPC Series (All Versions), • Vijeo Designer (All Versions prior to V6.2 SP11 Multiple HotFix 4), • Vijeo Designer Basic (All Versions prior to V1.2.1) | SEVD-2022-039-06 | SEVD-2022-039-06 CSAF |
| 2022/02/08 | Harmony (formerly known as Magelis) HMI Panels | CVE-2019-6833 | A full fix is available for a selection of affected products and introduced a mitigation section to reduce the risk of exploit. Identified products with the status End of Commercialization in the list of affected products. | See security notification | SEVD-2019-225-01 (1.2) | SEVD-2019-225-01 (V2.0) CSAF |
| 2022/01/11 | Ethernet and Web server on Modicon M340 controller and Communication Modules | CVE-2022-22724, CVE-2020-7534 | CWE-352: Cross-Site Request Forgery (CSRF) & CWE-400: Uncontrolled Resource Consumption | • Modicon M340 CPUs (BMXP34 - All Versions), • Modicon Quantum CPUs with integrated Ethernet (Copro) (140CPU65 - All Versions), • Modicon Premium CPUs with integrated Ethernet (Copro) (TSXP57 - All Versions), • Modicon M340 ethernet modules (BMXNOC040, BMXNOE01, BMXNOR0200H - All Versions) , • Modicon Quantum and Premiumfactory cast communication modules (140NOE77111, 140NOC78*00, TSXETY5103, TSXETY4103 - All Versions) | SEVD-2022-011-01 | SEVD-2022-011-01 CSAF |
| 2022/01/11 | Easergy T300 | CVE-2020-8597 | CWE-120: Buffer Copy without Checking Size of Input | Easergy T300 (Only products connected to a 3G/4G network using the following T300 modems are vulnerable: • Easergy HU250 3G modem box - Five Bands UMTS/HSPA+, • Easergy HU250 4G modem box with GPS clock synchronization Firmware V2.7.1 and prior) | SEVD-2022-011-02 | SEVD-2022-011-02 CSAF |
| 2022/01/11 | Easergy P5 | CVE-2022-22722, CVE-2022-22723 | CWE-798: Use of Hard-coded Credentials & CWE-120: Buffer Copy without Checking Size of Input | Easergy P5 (All firmware versions prior to V01.401.101) | SEVD-2022-011-03 | SEVD-2022-011-03 (V1.1) CSAF |
| 2022/01/11 | Easergy P3 | CVE-2022-22725 | CWE-120: Buffer Copy without Checking Size of Input | Easergy P3 (All versions prior to V30.205) | SEVD-2022-011-04 | SEVD-2022-011-04 CSAF |
| 2022/01/11 | ConneXium Tofino Firewall and Loadable Security Modules | CVE-2021-30061, CVE-2021-30064, CVE-2021-30065, CVE-2021-30066, CVE-2021-30062, CVE-2021-30063 | Multiple Vulnerabilities | ConneXium Tofino Firewall – part number TCSEFEA23F3F22 - Version prior to v03.23 , ConneXium Tofino OPC-LSM – part number TCSEFM0000 - Version prior to Firewall host version v03.23, ConneXium Tofino Firewall – part number TCSEFEA23F3F20/21 - All Versions | SEVD-2022-011-05 | SEVD-2022-011-05 CSAF |
| 2022/01/11 | EcoStruxure™ Power Monitoring Expert | CVE-2022-22726, CVE-2022-22727, CVE-2019-8963, CVE-2022-22804 | Multiple Vulnerabilities | EcoStruxure Power Monitoring Expert (All Versions 2020 and prior) | SEVD-2022-011-07 | SEVD-2022-011-07 CSAF |
| 2021/12/14 | IGSS (Interactive Graphical SCADA System) | CVE-2021-22823, CVE-2021-22824 | Multiple Vulnerabilties | IGSS Data Collector (dc.exe) V15.0.0.21320 and prior | SEVD-2021-348-01 | |
| 2021/12/14 | EVlink City / Parking / Smart Wallbox Charging Stations | CVE-2021-22724, CVE-2021-22725, CVE-2021-22818, CVE-2021-22819, CVE-2021-22820, CVE-2021-22821, CVE-2021-22822, | Multiple Vulnerabilties | EVlink City (EVC1S22P4 / EVC1S7P4), EVlink Parking (EVW2 / EVF2 / EVP2PE), EVlink Smart Wallbox EVB1A - All versions prior to R8 V3.4.0.2 | SEVD-2021-348-02 | |
| 2021/12/14 | EcoStruxure™ Power Monitoring Expert | CVE-2021-22826, CVE-2021-22827 | Multiple Vulnerabilties | EcoStruxure™ Power Monitoring Expert V9.0 and prior | SEVD-2021-348-03 | |
| 2021/12/14 | APC by Schneider Electric Rack PDU | CVE-2021-22825 | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | AP7xxxx and AP8xxx with NMC2. (V6.9.6 and prior), AP7xxx and AP8xxx with NMC3 (V1.1.0.3 and prior), APDU9xxx with NMC3 (V1.0.0.28 and prior) | SEVD-2021-348-04 | |
| 2021/12/14 | Web Server on Modicon M580 Controllers and Communication Modules (V4.0) | CVE-2019-6848, CVE-2019-6849, CVE-2019-6850 | Multiple Vulnerabilities (December 2021 Update: A fix is now available for CVE-2019-6849 on the BMENOC0321) | Modicon M580, Modicon BMENOC 0311, Modicon BMENOC 0321 | SEVD-2019-281-04 (V4.0) | |
| 2021/11/09 | Cyber Attacks against KNX Systems Improperly Exposed to the Internet | Schneider Electric is aware of confirmed reports of cyber-attacks targeting KNX home and building automation systems utilizing a KNXnet/IP Ethernet to KNX gateway or router that has been improperly exposed to the Internet. See security bulletin for recommended mitigations. | SESB-2021-313-01 | |||
| 2021/11/09 | SCADAPack 300E Series RTU | CVE-2021-22816 | CWE-754: Improper Check for Unusual or Exceptional Conditions | SCADAPack 312E, 313E, 314E, 330E, 333E, 334E, 337E, 350E and 357E RTUs with firmware V8.18.1 and prior | SEVD-2021-313-01 | |
| 2021/11/09 | Schneider Electric Software Update (SESU) | CVE-2021-22799 | CWE-331: Insufficient Entropy | Schneider Electric Software Update, V2.3.0 through V2.5.1 | SEVD-2021-313-02 | |
| 2021/11/09 | TelevisAir Dongle BTLE | - | - | TelevisAir V3.0 Dongle BTLE (part number ADBT42* and prior) | SEVD-2021-313-06 | |
| 2021/11/09 | Eurotherm GUIcon | CVE-2021-22807, CVE-2021-22808, CVE-2021-22809 | Multiple Vulnerabilities | Eurotherm by Schneider Electric GUIcon Version 2.0 (Build 683.003) and prior | SEVD-2021-313-07 | |
| 2021/11/09 | Modicon Controllers (V3.0) | CVE-2019-6821 | CWE-330: Use of Insufficiently Random Values (Notification Updated - Clarification of impacted commercial references: added BMENOP0300x, BMENOC03x1, BMENOS0300 and removed Modicon M340 CPU.) | Modicon M580 firmware versions prior to V2.30, and all firmware versions of Modicon M340, Modicon Premium, Modicon Quantum | SEVD-2019-134-03 (V3.0) | |
| 2021/10/12 | spaceLYnk, Wiser For KNX, fellerLYnk | CVE-2021-22806 | CWE-669: Incorrect Resource Transfer Between Spheres | spaceLYnk V2.6.1 and prior • Wiser for KNX V2.6.1 and prior • fellerLYnk V2.6.1 and prior | SEVD-2021-285-01 | |
| 2021/10/12 | ConneXium Network Manager (CNM) Software | CVE-2021-22801 | CWE-269: Improper Privilege Management | ConneXium Network Manager (Ethernet network management software) – all versions | SEVD-2021-285-02 | |
| 2021/10/12 | IGSS (Interactive Graphical SCADA System) | CVE-2021-22802, CVE-2021-22803, CVE-2021-22804, CVE-2021-22805 | Multiple Vulnerabilties | IGSS Data Collector (dc.exe) V15.0.0.21243 and prior | SEVD-2021-285-03 | |
| 2021/10/12 | Modicon M218 Logic Controller | CVE-2021-22800 | CWE-20: Improper Input Validation | Modicon M218 logic controller firmware version v5.1.0.6 and prior. | SEVD-2021-285-04 | |
| 2021/10/12 | Conext™ Advisor & Conext™ Control V2 | CVE-2019-11135, CVE-2020-0601, CVE-2020-0609, CVE-2020-0610, CVE-2020-0796, CVE-2020-0938, CVE-2020-1020, CVE-2020-1350, CVE-2020-1472, CVE-2019-0803, CVE-2019-1040 | Multiple Vulnerabilities | • Conext™ Advisor 2 Cloud 2.02 and below • Conext™ Advisor 2 Gateway 1.28.45 and below • Conext™ Control V2 Gateway 2.6 and below | SEVD-2021-285-05 | |
| 2021/10/12 | Embedded TCP/IP Stacks Vulnerabilities (AMNESIA:33) in Modicon TM5 modules | CVE-2020-13987, CVE-2020-17438 | Multiple Vulnerabilities | • TM5CSLC100FS: safety logic controller Firmware V2.56 and prior • TM5CSLC200FS: safety logic controller Firmware V2.56 and prior • TM5NS31: sercos III communication module Firmware V2.78 and prior • TM5NEIP1: EtherNet/IP module Firmware V3.10 and prior • TM5NEIP1K: EtherNet/IP FieldBus KIT Firmware V3.10 and prior | SEVD-2021-285-06 | |
| 2021/10/12 | Microsoft Remote Desktop Services (DejaBlue) (V5.0) | CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1223, CVE-2019-1224, CVE-2019-1225, CVE-2019-1226 | Multiple Vulnerabilities (Notification Updated) | Multiple Products | SEVD-2019-267-01 (V5.0) | |
| 2021/10/12 | Intel Microarchitectural Data Sampling (ZombieLoad) (V6.0) | CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091 | Multiple Vulnerabilities (Notification Updated) | Multiple Products | SEVD-2019-193-01 (V6.0) | |
| 2021/10/12 | Microsoft Remote Desktop Services (BlueKeep) (V7.0) | CVE-2019-0708 | Remote Code Execution (Notification Updated) | Multiple Products | SEVD-2019-193-02 (V7.0) | |
| 2021/09/14 | StruxureWare Data Center Expert | CVE-2021-22794, CVE-2021-22795 | Multiple Vulnerabilities | StruxureWare Data Center Expert versions 7.8.1 and prior. | SEVD-2021-257-03 | |
| 2021/09/14 | Conext™ ComBox | CVE-2021-22798 | CWE-522: Insufficiently Protected Credentials | Conext™ ComBox, all versions | SEVD-2021-257-04 | |
| 2021/09/14 | Treck TCP/IPv6 Vulnerabilities (V4.0) | CVE-2020-27336, CVE-2020-27337, CVE-2020-27338 | Multiple Vulnerabilities (Notification Updated) | • ATV340E Altivar Machine Drives • ATV630/650/660/680/6A0/6B0 Altivar Process Drives • ATV930/950/960/980/9A0/9B0 Altivar Process Drives • VW3A3720, VW3A3721 Altivar Process Communication Modules • APC Network Management Card 2 (NMC2) • APC Network Management Card 3 (NMC3) • IFE Gateway • Acti9 Smartlink IP* • Acti9 PowerTag Link / HD* • Acti9 Smartlink SI D* • Acti9 Smartlink SI B* • EGX150/Link150 Ethernet Gateway** • eIFE Ethernet Interface for MasterPact MTZ drawout circuit breakers • IFE Ethernet Interface for ComPact, PowerPact, and MasterPact circuit breakers • TM3 Bus Coupler EIP • ATV6000 Medium Voltage Altivar Process Drives | SEVD-2020-353-01 (V4.0) | |
| 2021/08/19 | BadAlloc Vulnerabilities | - | Multiple Vulnerabilities | - | SESB-2021-231-01 | |
| 2021/08/10 | Harmony/Magelis HMI Products configured by Vijeo Designer, Vijeo Designer Basic and EcoStruxure Machine Expert | CVE-2021-22704 | CWE-22: Improper Limitation of a Pathname to a Restricted Directory | Harmony/HMI Products Configured by Vijeo Designer (all versions prior to V6.2 SP11 ), Vijeo Designer Basic (all versions prior to V1.2), or EcoStruxure Machine Expert (all versions prior to V2.0) | SEVD-2021-222-01 | |
| 2021/08/10 | Pro-face GP-Pro EX | CVE-2021-22775 | CWE-427: Uncontrolled Search Path Element | GP-Pro EX V4.09.250 and prior | SEVD-2021-222-03 | |
| 2021/08/10 | AccuSine PCSn/PCS+/PFV+ | CVE-2021-22793 | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | AccuSine PCS+ / PFV+ (Versions prior to V1.6.7) and AccuSine PCSn (Versions prior to V2.2.4) | SEVD-2021-222-05 | |
| 2021/08/10 | CODESYS V2 Vulnerabilities in Programmable Automation Controller (PacDrive) M | CVE-2021-30186, CVE-2021-30188, CVE-2021-30195 | Multiple Vulnerabilities | Programmable Automation Controller (PacDrive) M, all versions | SEVD-2021-222-06 | |
| 2021/08/10 | NTZ Mekhanotronika Rus. LLC SHAIIS-MT-111, SHASU-MT-107 and SHFK-MT, and SHFK-MT-104 Control Panels | CVE-2021-34527, CVE-2021-1675 | Multiple Vulnerabilities | SHAIIS-MT-111, SHASU-MT-107 and SHFK-MT, and SHFK-MT-104 Control Panels (see security notification for more details) | SEVD-2021-222-07 | |
| 2021/08/10 | NTZ Mekhanotronika Rus. LLC SHFK-MT-104 Control Panels | CVE-2021-31166 | HTTP Protocol Stack Remote Code Execution | SHFK-MT-104 Control Panels (see security notification for more details) | SEVD-2021-222-08 | |
| 2021/08/10 | Embedded Web Server for Modicon X80 BMXNOR0200H RTU Module (V2.0) | CVE-2021-22749 | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | Modicon X80 BMXNOR0200H RTU SV1.70 IR22 and prior | SEVD-2021-159-05 (V2.0) | |
| 2021/08/10 | Treck HTTP Server Vulnerability on TM3 Bus Coupler Modules (V2.0) | CVE-2020-25066 | Heap-Based Overflow | • TM3 Bus Coupler (EIP firmware version 2.1.50.2 and prior) • TM3 Bus Coupler (SL firmware version 2.0.50.2 and prior) • TM3 Bus Coupler (CANOpen firmware version 2.0.50.2 and prior) | SEVD-2020-353-02 (V2.0) | |
| 2021/08/10 | Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (V2.0) | CVE-2020-7540 | CWE-306: Missing Authentication for Critical Function | • Modicon M340 CPUs (BMXP34* all versions prior to V3.30) • Modicon M340 Ethernet Communication modules(BMXNOE0100 (H) all versions prior to V3.3, BMXNOE0110 (H) all versions prior to V6.5, BMXNOC0401 (H) all versions prior to V2.10) • Modicon Premium communication modules (TSXETY4103 prior to V6.2, TSXETY5103 prior to V6.4) • Modicon Premium processors with integrated Ethernet COPRO (TSXP574634 versions prior to V6.1, TSXP575634 versions prior to V6.1, TSXP576634 versions prior to V6.1) • Modicon Quantum processors with integrated Ethernet COPRO (140CPU65xx0 prior to V6.1) • Modicon Quantum communication modules (140NOE771x1, prior to V7.1, 140NOC78x00, prior to V1.74, 140NOC77101, prior to V1.08) • BMXNOR200H (all versions) | SEVD-2020-343-04 (V2.0) | |
| 2021/08/10 | Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (V2.0) | CVE-2020-7539, CVE-2020-7541 | Multiple Vulnerabilities | • Modicon M340 CPUs (BMXP34* versions prior to V3.30) • Modicon M340 Ethernet Communication modules (BMXNOE0100 (H) versions prior to V3.3, BMXNOE0110 (H) versions prior to V6.5, BMXNOC0401 (H) versions prior to V2.10) • Modicon Premium communication modules (TSXETY4103 versions prior to V6.2, TSXETY5103 versions prior to V6.4) • Modicon Premium processors with integrated Ethernet COPRO (TSXP574634 versions prior to V6.1, TSXP575634 versions prior to V6.1, TSXP576634 versions prior to V6.1) • Modicon Quantum processors with integrated Ethernet COPRO (140CPU65xx0 versions prior to V6.1) • Modicon Quantum communication modules (140NOE771x1 versions prior to V7.1, 140NOC78x00 versions prior to V1.74, 140NOC77101 versions prior to V1.08) | SEVD-2020-343-03 (V2.0) | |
| 2021/07/13 | Easergy T300 | CVE-2021-22769, CVE-2021-22770, CVE-2021-22771 | Multiple Vulnerabilities | Easergy T300 with firmware V2.7.1 and prior | SEVD-2021-194-02 | |
| 2021/07/13 | SoSafe Configurable | CVE-2021-22777 | CWE-502: Deserialization of Untrusted Data | SoSafe Configurable prior to V1.8.1 | SEVD-2021-194-03 | |
| 2021/07/13 | C-Bus Toolkit | CVE-2021-22784 | CWE-287: Improper Authentication | C-Bus Toolkit V1.15.8 and prior | SEVD-2021-194-04 | |
| 2021/07/13 | Easergy T200 | CVE-2021-22772 | CWE-306: Missing Authentication for Critical Function | Easergy T200 (Modbus) SC2-04MOD-07000100 and earlier • Easergy T200 (IEC104) SC2-04IEC-07000100 and earlier • Easergy T200 (DNP3) SC2-04DNP-07000102 and earlier | SEVD-2021-194-05 | |
| 2021/07/13 | EVlink City / Parking / Smart Wallbox Charging Stations | CVE-2021-22706, CVE-2021-22707, CVE-2021-22708, CVE-2021-22721, CVE-2021-22722, CVE-2021-22723, CVE-2021-22726, CVE-2021-22727, CVE-2021-22728, CVE-2021-22729, CVE-2021-22730, CVE-2021-22773, CVE-2021-22774 | Multiple Vulnerabilities | All versions prior to R8 V3.4.0.1 of EVlink City (EVC1S22P4 / EVC1S7P4), EVlink Parking (EVW2 / EVF2 / EV.2), and EVlink Smart Wallbox (EVB1A) | SEVD-2021-194-06 | |
| 2021/07/13 | APC by Schneider Electric Network Management Cards (Ripple20) (V2.3) | CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, CVE-2020-11899, CVE-2020-11900, CVE-2020-11901, CVE-2020-11902, CVE-2020-11903, CVE-2020-11904, CVE-2020-11905, CVE-2020-11906, CVE-2020-11907, CVE-2020-11908, CVE-2020-11909, CVE-2020-11910, CVE-2020-11911, CVE-2020-11912, CVE-2020-11913, CVE-2020-11914 | Multiple Vulnerabilities (Notification Updated) | • APC Network Management Card 1 (NMC1) • APC Network Management Card 2 (NMC2) • APC Network Management Card 3 (NMC3) | SEVD-2020-174-01 (V2.3) | |
| 2021/07/13 | EcoStruxure™ Control Expert, EcoStruxure™ Process Expert and RemoteConnect™ (V2.0) | CVE-2020-7560 | CWE-123 - Write-what-where Condition | • EcoStruxure Control Expert (versions prior to v15.0 SP1) • Unity Pro (all versions) •EcoStruxure Process Expert (all versions) • RemoteConnect (all versions) | SEVD-2020-343-01 (V2.0) | |
| 2021/07/13 | Triconex Models 3009 MP and TCM 4351B (V1.1) | CVE-2021-22742, CVE-2021-22743, CVE-2021-22744, CVE-2021-22745, CVE-2021-22746, CVE-2021-22747 | Multiple Vulnerabilities | Triconex Model 3009 MP and TCM 4351B installed on Tricon v11.3.x systems. | SEVD-2021-130-03 (V1.1) | |
| 2021/06/08 | IGSS (Interactive Graphical SCADA System) | CVE-2021-22750, CVE-2021-22751, CVE-2021-22752, CVE-2021-22753, CVE-2021-22754, CVE-2021-22755, CVE-2021-22756, CVE-2021-22757, CVE-2021-22758, CVE-2021-22759, CVE-2021-22760, CVE-2021-22761, CVE-2021-22762 | Multiple Vulnerabilities | IGSS Definition (Def.exe) V15.0.0.21140 and prior | SEVD-2021-159-01 | |
| 2021/06/08 | PowerLogic PM55xx and PowerLogic PM8ECC | CVE-2021-22763, CVE-2021-22764 | Multiple Vulnerabilities | PM5560 (Versions prior to V2.7.8) • PM5561 (Versions prior to V10.7.3) • PM5562 (V2.5.4 and prior) • PM5563 (Versions prior to 2.7.8) • PM8ECC (All versions) | SEVD-2021-159-02 | |
| 2021/06/08 | PowerLogic EGX100 and PowerLogicEGX300 | CVE-2021-22763, CVE-2021-22764, CVE-2021-22765, CVE-2021-22766, CVE-2021-22767, CVE-2021-22768 | Multiple Vulnerabilities | EGX100 (All Versions) • EGX100 (Versions 3.0.0 and newer) • EGX300 (All Versions) | SEVD-2021-159-03 | |
| 2021/06/08 | Enerlin'X Com’X 510 | CVE-2021-22769 | CWE-269: Improper Privilege Management | Enerlin’X Com’X versions prior to V6.8.4 | SEVD-2021-159-06 | |
| 2021/06/08 | EcoStruxure™ Machine Expert and Modicon M218/M241/M251/M262, LMC PacDrive Eco/Pro/Pro2, HMISCU, ATV IMC Logic Controllers, SoMachine/SoMachine Motion | CVE-2020-10245, CVE-2019-13538, CVE-2019-9008, CVE-2019-9009, CVE-2020-7052 | Multiple Vulnerabilities (Notification Updated) | • EcoStruxure™ Machine Expert and Modicon M218/M241/M251/M262 • LMC PacDrive Eco/Pro/Pro2 • HMISCU • ATV IMC Logic Controllers • SoMachine/SoMachine Motion (See Security Notification for full version information) | SEVD-2021-130-06 (V2.0) | |
| 2021/05/11 | Modicon Managed Switch | CVE-2021-22731 | CWE-640: Weak Password Recovery Mechanism for Forgotten Password | Modicon Managed Switch MCSESM* and MCSESP* V8.21 and prior | SEVD-2021-130-01 | |
| 2021/05/11 | Harmony HMI Products Configured by Vijeo Designer or EcoStruxure Machine Expert | CVE-2021-22705 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer | Harmony HMI Products Configured by Vijeo Designer (all versions prior to V6.2 SP11 ) or EcoStruxur Machine Expert (all versions prior to V2.0) | SEVD-2021-130-02 | |
| 2021/05/11 | Modicon M241 and M251 Logic Controllers | CVE-2021-22699 | CWE-20: Improper Input Validation | Modicon M241/M251 logic controllers firmware prior to V5.1.9.1 | SEVD-2021-130-05 | |
| 2021/05/11 | EcoStruxure™ Geo SCADA Expert | CVE-2021-22741 | CWE-916: Use of Password Hash with Insufficient Computational Effort | • ClearSCADA (all versions) • EcoStruxure Geo SCADA Expert 2019 (all versions) • EcoStruxure Geo SCADA Expert 2020 (V83.7742.1 and prior) | SEVD-2021-130-07 | |
| 2021/05/11 | Modicon Controllers, EcoStruxure™ Control Expert and Unity Pro Programming Software (V3.0) | CVE-2020-7475 | CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (Notification Updated) | • EcoStruxure™ Control Expert: all versions prior to V15.0 • Unity Pro: all versions • Modicon M340: all versions prior to V3.20 • Modicon M580: all versions prior to V3.10 | SEVD-2020-080-01 (V3.0) | |
| 2021/05/11 | Web Server on Modicon M580 Controllers and Communication Modules (V3.0) | CVE-2019-6848, CVE-2019-6849, CVE-2019-6850 | Multiple Vulnerabilities (Notification Updated) | Modicon M580, Modicon BMENOC 0311, Modicon BMENOC 0321 | SEVD-2019-281-04 (V3.0) | |
| 2021/04/13 | NTZ Mekhanotronika Rus. LLC SHFK-MT-104, SHASU-MT-107 and SHAIIS-MT-111 Control Panels | CVE-2019-1040, CVE-2019-0803 | Multiple Vulnerabilities | SHFK-MT-104, SHASU-MT-107, SHAIIS-MT-111 (See Security Notification for details) | SEVD-2021-103-02 | |
| 2021/04/13 | Schneider Electric Floating License Manager | CVE-2019-8960, CVE-2019-8961 | Multiple Vulnerabilities (Notification Updated) | Schneider Electric Floating License Manager V2.4.0.0 and earlier | SEVD-2020-196-02 (V1.3) | |
| 2021/03/09 | IGSS (Interactive Graphical SCADA System) | CVE-2021-22709, CVE-2021-22710, CVE-2021-22711, CVE-2021-22712 | Multiple Vulnerabilities | IGSS Definition (Def.exe) version 15.0.0.21041 and prior | SEVD-2021-068-01 | |
| 2021/03/09 | PowerLogic ION7400 / PM8000 / ION9000 Power Meters | CVE-2021-22714 | CWE-119: Improper restriction of operations within the bounds of a memory buffer | All versions prior to V3.0.0 of ION7400, ION9000, and ION8000 | SEVD-2021-068-02 | |
| 2021/03/09 | PowerLogic ION8650 / ION8800 / ION7x50 / ION7700/73xx / ION83xx/84xx/85xx/8600 Power Meters | CVE-2021-22713 | CWE-119: Improper restriction of operations within the bounds of a memory buffer | ION8650 / ION8800 / ION7x50 / ION7700/73xx / ION83xx/84xx/85xx/8600 (See notification for affected versions) | SEVD-2021-068-03 | |
| 2021/02/09 | PowerLogic Power Metering Products | CVE-2021-22701, CVE-2021-22702, CVE-2021-22703 | Multiple Vulnerabilities | ION7400, ION7x50, ION7700/73xx, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM8000 (see notification for affected versions) | SEVD-2021-040-01 | |
| 2021/01/12 | EcoStruxure™ Operator Terminal Expert (Vijeo XD), Pro-face BLUE and WinGP runtime | CVE-2020-7544 | CWE-269 Improper Privilege Management (Notification Updated) | • EcoStruxure™ Operator Terminal Expert Runtime 3.1 Service Pack 1A and prior • Pro-face BLUE Runtime 3.1 Service Pack 1A and prior • WinGP V4.09.120 • (See security notification for more details) | SEVD-2020-315-02 (V2.0) | |
| 2021/01/12 | Modicon M100/M200/M221 Programmable Logic Controllers (V3.0) | CVE-2020-7565, CVE-2020-7566, CVE-2020-7567, CVE-2020-7568, CVE-2020-28214 | Multiple Vulnerabilities (Notification Updated) | Modicon M100/M200/M221, all references, all versions | SEVD-2020-315-05 (V3.0) | |
| 2020/12/08 | EcoStruxure™ Geo SCADA Expert | CVE-2020-28219 | CWE-522: Insufficiently Protected Credentials | • EcoStruxure Geo SCADA Expert 2019 (Original release and Monthly Updates to September 2020, from 81.7268.1 to 81.7578.1) • EcoStruxure Geo SCADA Expert 2020 (Original release and Monthly Updates to September 2020, from 83.7551.1 to 83.7578.1) | SEVD-2020-343-02 | |
| 2020/12/08 | Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium | CVE-2020-7537, CVE-2020-7542, CVE-2020-7543 | Multiple Vulnerabilities | • Modicon M580 CPUs (BMEx58xxxxx prior to version 3.20) • Modicon M340 CPUs (BMX P34x prior to version 3.30) • Modicon Premium CPUs all versions –(SXP574634, TSXP575634, TSXP576634) • Modicon Quantum CPUs all versions (40CPU65xxxxx) | SEVD-2020-343-08 | |
| 2020/12/08 | Modicon M258 Logic Controllers and SoMachine/ SoMachine Motion Software | CVE-2020-28220 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer | • Modicon M258 Firmware (All versions prior to V5.0.4.11) • SoMachine/SoMachine Motion software (All versions) | SEVD-2020-343-09 | |
| 2020/12/08 | Easergy T300 | CVE-2020-7561, CVE-2020-28215, CVE-2020-28216, CVE-2020-28217, CVE-2020-28218 | Multiple Vulnerabilities (Notification Updated) | Easergy T300 with firmware 2.7 and older | SEVD-2020-315-06 (V2.0) | |
| 2020/12/08 | Wibu-Systems CodeMeter Vulnerabilities | CVE-2020-14509, CVE-2020-14513, CVE-2020-14515, CVE-2020-14517, CVE-2020-14519, CVE-2020-16233 | Multiple Vulnerabilities | - EcoStruxure Machine Expert (formerly known as SoMachine and SoMachine Motion) - E+PLC400 - E+PLC100 - E+PLC_Setup - EcoStruxure Machine SCADA Expert | SEVD-2020-287-02 (V1.1) | |
| 2020/11/10 | Interactive Graphical SCADA System (IGSS) | CVE-2020-7550, CVE-2020-7551, CVE-2020-7552, CVE-2020-7553, CVE-2020-7554, CVE-2020-7555, CVE-2020-7556, CVE-2020-7557, CVE-2020-7558 | Multiple Vulnerabilities | IGSS Definition (Def.exe) version 14.0.0.20247 and prior | SEVD-2020-315-03 | |
| 2020/11/10 | EcoStruxure Building Operation (EBO) | CVE-2020-7569, CVE-2020-7570, CVE-2020-7571, CVE-2020-7572, CVE-2020-7573, CVE-2020-28209, CVE-2020-28210 | Multiple Vulnerabilities | • WebReports V1.9 - V3.1 WebStation (V2.0 - V3.1) • Enterprise Server installer (V1.9 - V3.1) • Enterprise Central installer (V2.0 - V3.1) | SEVD-2020-315-04 | |
| 2020/11/10 | Trio Q and J Data Radios | - | Drovorub malware | Trio Q and J Data Radios | SESB-2020-315-01 | |
| 2020/11/10 | EcoStruxure™ Operator Terminal Expert (Vijeo XD) | CVE-2020-7493, CVE-2020-7494, CVE-2020-7495, CVE-2020-7496, CVE-2020-7497 | Multiple Vulnerabilities | EcoStruxure™ Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) | SEVD-2020-133-04 (V3.0) | |
| 2020/11/10 | Modicon M218/M241/M251/M258 Logic Controllers SoMachine/SoMachine Motion EcoStruxure™ Machine Expert | CVE-2020-7487, CVE-2020-7488 | Multiple Vulnerabilities | All versions | SEVD-2020-105-02 (V1.1) | |
| 2020/10/13 | Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules | CVE-2020-7533 | CWE-255: Credentials Management | - M340 CPUs - M340 Communication Ethernet modules - Premium processors with integrated Ethernet COPRO - Premium communication modules - Quantum processors with integrated Ethernet COPRO - Quantum communication modules | SEVD-2020-287-01 | |
| 2020/10/13 | Smartlink, PowerTag, and Wiser Series Gateways | CVE-2020-7548 | CWE-330 - Use of Insufficiently Random Values | - Acti9 Smartlink SI D all versions prior to 002.004.002 - Acti9 Smartlink SI B all versions prior to 002.004.002 - Acti9 PowerTag Link / Link HD all versions prior to 001.008.007 - Acti9 Smartlink EL B all versions prior to 1.2.1 - Wiser Link all versions prior to 1.5.0 - Wiser Energy all versions prior to 1.5.0 | SEVD-2020-287-03 | |
| 2020/10/13 | EcoStruxure™ and SmartStruxure™ Power Monitoring and SCADA Software | CVE-2020-7545, CVE-2020-7546, CVE-2020-7547 | Multiple Vulnerabilities | - EcoStruxure™ Power Monitoring Expert versions 9.0, 8.x, 7.x - EcoStruxure™ Energy Expert version 2.0 - Power Manager versions 1.1, 1.2, 1.3 - StruxureWare™ PowerSCADA Expert with Advanced Reporting and Dashboards Module versions 8.x - EcoStruxure™ Power SCADA Operation with Advanced Reporting and Dashboards Module version 9.0 | SEVD-2020-287-04 | |
| 2020/10/13 | Netlogon Elevation of Privilege Vulnerability | CVE-2020-1472 | Multiple Vulnerabilities | Elevation of privilege vulnerability | SESB-2020-287-01 | |
| 2020/10/13 | Modbus Serial Driver | CVE-2020-7523 | CWE-269: Improper Privilege Management | - Schneider Electric Modbus Serial Driver (64 bits) versions prior to V3.20 IE 30 - Schneider Electric Modbus Serial Driver (32 bits) versions prior to V2.20 IE 30 - Schneider Electric Modbus Driver Suite versions prior to V14.15.0.0 | SEVD-2020-224-01 (V1.1) | |
| 2020/10/13 | SCADAPack 7x Remote Connect and SCADAPack x70 Security Administrator | CVE-2020-7528, CVE-2020-7529, CVE-2020-7530, CVE-2020-7531, CVE-2020-7532 | Multiple Vulnerabilities | SCADAPack 7x Remote Connect (V3.6.3.574 and prior) and SCADAPack x70 Security Administrator (V1.2.0 and prior) | SEVD-2020-252-01 (V1.1) | |
| 2020/10/13 | Modicon Controllers | CVE-2017-6028 | CWE-522: Insufficiently Protected Credentials | Modicon Controllers, see notification for details | SEVD-2017-075-03 (V2.0) | |
| 2020/08/11 | spaceLYnk and Wiser for KNX (formerly homeLYnk) | CVE-2020-7525 | CWE-307: Improper Restriction of Excessive Authentication Attempts | All hardware versions of spaceLYnk and Wiser for KNX (formerly homeLYnk) | SEVD-2020-224-02 | |
| 2020/08/11 | Modicon M218 Logic Controller | CVE-2020-7524 | CWE-787:Out-of-bounds Write | Modicon M218 Logic Controller V5.0.0.7 and prior | SEVD-2020-224-03 | |
| 2020/08/11 | APC Easy UPS On-Line Software | CVE-2020-7521, CVE-2020-7522 | Multiple Vulnerabilities | SFAPV9601 - APC Easy UPS On-Line Software V2.0 and earlier | SEVD-2020-224-04 | |
| 2020/08/11 | PowerChute Business Edition | CVE-2020-7526 | CWE-20: Improper Input Validation | PowerChute Business Edition software V9.0.x and earlier | SEVD-2020-224-05 | |
| 2020/08/11 | Harmony® eXLhoist | CVE-2019-19193 | Bluetooth Low Energy Vulnerability (SweynTooth) | Harmony® eXLhoist base stations v04.00.02.00 and prior | SEVD-2020-224-06 | |
| 2020/08/11 | SoMove | CVE-2020-7527 | CWE-276: Incorrect Default Permission | SoMove V2.8.1 and prior | SEVD-2020-224-07 | |
| 2020/08/11 | Schneider Electric PACTware | CVE-2020-9403, CVE-2020-9404 | Multiple Vulnerabilities | • Schneider Electric PACTware V5.0.5.30 and prior. • Schneider Electric PACTware V4.1 SP5 and prior. | SEVD-2020-224-08 | |
| 2020/08/11 | Vijeo Designer and Vijeo Designer Basic | CVE-2020-7501 | CWE-798: Use of Hard-coded Credentials | Vijeo Designer Basic V1.1 HotFix 16 and prior , Vijeo Designer V6.9 SP9 and prior | SEVD-2020-133-02 (V1.1) | |
| 2020/08/11 | Vijeo Designer and Vijeo Designer Basic | CVE-2020-7490 | CWE-426: Untrusted Search Path | Vijeo Designer Basic (V1.1 HotFix 15 and prior) and Vijeo Designer (V6.2 SP9 and prior) | SEVD-2020-105-03 (V1.2) | |
| 2020/07/14 | Schneider Electric Software Update (SESU) | CVE-2020-7520 | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') | SESU V2.4.0 and earlier | SEVD-2020-196-01 | |
| 2020/06/23 | Security Bulletin: Treck TCP/IP Vulnerabilities (Ripple20) | CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, CVE-2020-11899, CVE-2020-11900, CVE-2020-11901, CVE-2020-11902, CVE-2020-11903, CVE-2020-11904, CVE-2020-11905, CVE-2020-11906, CVE-2020-11907, CVE-2020-11908, CVE-2020-11909, CVE-2020-11910, CVE-2020-11911, CVE-2020-11912, CVE-2020-11913, CVE-2020-11914 | Multiple Vulnerabilities | See Security Bulletin | SESB-2020-168-01 (V2.0) | |
| 2020/06/23 | Legacy Triconex Product Vulnerabilities | CVE-2020-7483, CVE-2020-7484, CVE-2020-7485, CVE-2020-7486, CVE-2020-7491 | Multiple Vulnerabilities | See Security Bulletin | SESB-2020-105-01 (V2.1) | |
| 2020/06/09 | Modicon M218 Logic Controller | CVE-2020-7502 | CWE-787: Out-of-bounds Write Vulnerability | Modicon M218 firmware version 4.3 and prior | SEVD-2020-161-01 | |
| 2020/06/09 | Unity Loader and OS Loader Software | CVE-2020-7498 | CWE-798: Use of Hard-coded Credentials | Unity Loader - All versionsOS Loader - All versions (used for legacy Modicon offers) | SEVD-2020-161-02 | |
| 2020/06/09 | Modicon LMC078 Logic Controller | CVE-2020-10664 | NULL Pointer Dereference | Modicon LMC Logic Controller running with firmware version V1.51.15.05 and later | SEVD-2020-161-03 | |
| 2020/06/09 | Easergy T300 | CVE-2020-7503, CVE-2020-7504, CVE-2020-7505, CVE-2020-7506, CVE-2020-7507, CVE-2020-7508, CVE-2020-7509, CVE-2020-7510, CVE-2020-7511, CVE-2020-7512, CVE-2020-7513 | Multiple Vulnerabilities | Easergy T300 with firmware 1.5.2. and older | SEVD-2020-161-04 | |
| 2020/06/09 | Easergy Builder | CVE-2020-7514, CVE-2020-7515, CVE-2020-7516, CVE-2020-7517, CVE-2020-7518, CVE-2020-7519 | Multiple Vulnerabilities | Easergy Builder version 1.4.7.2 and older | SEVD-2020-161-05 | |
| 2020/06/09 | GoAhead Web Server | CVE-2015-7937 | Stack-based buffer overflow | BMXNOC0401 (all versions prior to v2.09) BMXNOE0100 (all versions prior to v3.10) BMXNOE0100H (all versions prior to v3.10) BMXNOE0110 (all versions prior to v6.30) BMXNOE0110H (all versions prior to v6.30) BMXNOR0200 (all versions prior to v1.70) BMXNOR0200H (all versions prior to v1.70) BMXP342020 (all versions prior to v2.80) BMXP342020H (all versions prior to v2.80) BMXP342030 (all versions prior to v2.80) BMXP3420302 (all versions prior to v2.80) BMXP3420302H (all versions prior to v2.80) BMXPRA0100 (all versions prior to v2.80) | SEVD-2015-344-01 (V2.0) | |
| 2020/05/12 | Pro-face GP-Pro EX Programming Software | CVE-2020-7492 | CWE-521: Weak Password Requirements | GP-Pro EX V1.00 to V4.09.100 | SEVD-2020-133-01 | |
| 2020/05/12 | U.motion Servers and Touch Panels | CVE-2020-7499, CVE-2020-7500 | Multiple Vulnerabilities | All versions of: MTN6501-0001 – U.Motion – KNX Server, MTN6501-0002 – U.Motion – KNX Server Plus, MTN6260-0410 – U.Motion KNX server Plus, Touch 10, MTN6260-0415 – U.Motion KNX server Plus, Touch 15, MTN6260-0310 – U.Motion KNX Client Touch 10, MTN6260-0315 – U.Motion KNX Client Touch 15 | SEVD-2020-133-03 | |
| 2020/05/12 | Andover Continuum System | CVE-2020-7480, CVE-2020-7481, CVE-2020-7482 | Multiple Vulnerabilities | All Continuum versions are affected | SEVD-2020-070-04 (2.1) | |
| 2020/05/12 | Embedded Web Servers for Modicon | CVE-2018-7804, CVE-2018-7809, CVE-2018-7810, CVE-2018-7811, CVE-2018-7812, CVE-2018-7830, CVE-2018-7831, CVE-2018-7833 | Multiple Vulnerabilities | All Modicon M340, Premium, Quantum PLCs, BMXNOR0200 controllers | SESB-2018-327-01 (V3.2) | |
| 2020/04/14 | Modicon M100/M200/M221 controllers, SoMachine Basic and EcoStruxure Machine Expert - Basic Programming Software | CVE-2020-7489 | CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | All versions | SEVD-2020-105-01 | |
| 2020/04/14 | Modicon Controllers | CVE-2019-6852, CVE-2019-6859 | Multiple Vulnerabilities | M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules | SEVD-2019-316-02 (V2.0) | |
| 2020/04/14 | Modicon Controllers, EcoStruxure™Control Expert and Unity Pro Programming Software | CVE-2019-6855 | CWE-285 Improper Authorization | EcoStruxure™ Control Expert: all versions prior to 14.1 Hot Fix, Unity Pro: all versions, Modicon M340: all versions prior to V3.20, Modicon M580: all versions prior to V3.10 | SEVD-2019-344-02 (V2.0) | |
| 2020/03/10 | IGSS (Interactive Graphical SCADA System) | CVE-2020-7478, CVE-2020-7479 | Multiple Vulnerabilities | Versions 14 and prior using the service: IGSSupdate. | SEVD-2020-070-01 | |
| 2020/03/10 | Modicon Quantum Ethernet Network module and Quantum / Premium COPRO | CVE-2020-7477 | CWE-754: Improper Check for Unusual or Exception Conditions | Quantum Ethernet Network module 140NOE771x1, versions 7.0 and prior, Quantum processors with integrated Ethernet – 140CPU65xxxxx, all versions, Premium processors with integrated Ethernet, all versions | SEVD-2020-070-02 | |
| 2020/03/10 | ZigBee Installation Toolkit | CVE-2020-7476 | CWE-426: Untrusted Search Path | Versions prior to 1.0.1 | SEVD-2020-070-03 | |
| 2020/02/11 | ProSoft Configurator for Modicon PMEPXM0100 (H) | CVE-2020-7474 | CWE-427: Uncontrolled Search Path Element | ProSoft Configurator v1.002 and prior, for the PMEPXM0100 (H) module | SEVD-2020-042-01 | |
| 2020/02/11 | U.motion Builder Software | CVE-2018-7763, CVE-2018-7764, CVE-2018-7765, CVE-2018-7766, CVE-2018-7767, CVE-2018-7768, CVE-2018-7769, CVE-2018-7770, CVE-2018-7771, CVE-2018-7772, CVE-2018-7773, CVE-2018-7774, CVE-2018-7776, CVE-2018-7777, CVE-2018-7494 | Security Notification Updated | All versions prior to v1.3.4 | SEVD-2018-095-01 (V1.2) | |
| 2020/01/28 | EcoStruxure™ Operator Terminal Expert | - | Security Bulletin | EcoStruxure™ Operator Terminal Expert software | SESB-2020-028-01 | |
| 2020/01/14 | MSX Configurator | CVE-2019-6858 | CWE-427:Uncontrolled Search Path Element | Software Version prior to V1.0.8.1 | SEVD-2020-014-01 |
