CVE-2017-7574
CRITICALSchneider Electric SoMachine Basic 1.4 SP1 & Modicon TM221CE16R 1.3.3.3 Hard-coded Credentials
Title source: llmDescription
Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modicon TM221CE16R 1.3.3.3 devices have a hardcoded-key vulnerability. The Project Protection feature is used to prevent unauthorized users from opening an XML protected project file, by prompting the user for a password. This XML file is AES-CBC encrypted; however, the key used for encryption (SoMachineBasicSoMachineBasicSoMa) cannot be changed. After decrypting the XML file with this key, the user password can be found in the decrypted data. After reading the user password, the project can be opened and modified with the Schneider product.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-097-01
Broken Link x_refsource_misc
https://os-s.net/advisories/OSS-2017-02.pdf
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97518
Scores
CVSS v3
9.8
EPSS
0.0027
EPSS Percentile
50.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-798
Status
published
Products (2)
schneider-electric/modicon_tm221ce16r_firmware
1.3.3.3
schneider-electric/somachine
1.4 sp1
Published
Apr 06, 2017
Tracked Since
Feb 18, 2026