CVE-2016-2278

HIGH

Schneider-electric Struxureware Build... - Improper Access Control

Title source: rule

Description

Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh (aka Minimal Shell) protection mechanism.

Exploits (1)

exploitdb WRITEUP

by Karn Ganeshen · textremotehardware

https://www.exploit-db.com/exploits/39522

View Code ZIP pw:eip

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-025-01

Third Party Advisory, US Government Resource x_refsource_misc

https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39522/

Scores

CVSS v3 7.2

EPSS 0.1404

EPSS Percentile 94.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-284

Status published

Products (2)

schneider-electric/struxureware_building_operations_automation_server_as-p_firmware 1.7

schneider-electric/struxureware_building_operations_automation_server_as_firmware < 1.7

Published Mar 02, 2016

Tracked Since Feb 18, 2026