CVE-2017-9970
HIGHSchneider Electric StruxureOn Gateway <= 1.1.3 - Remote Code Execution via Zip Metadata Injection
Title source: llmDescription
A remote code execution vulnerability exists in Schneider Electric's StruxureOn Gateway versions 1.1.3 and prior. Uploading a zip which contains carefully crafted metadata allows for the file to be uploaded to any directory on the host machine information which could lead to remote code execution.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/103052
Mitigation, Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-18-046-04
Vendor Advisory x_refsource_confirm
https://www.schneider-electric.com/en/download/document/SEVD-2018-039-01/
Scores
CVSS v3
7.2
EPSS
0.0493
EPSS Percentile
91.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
schneider-electric/struxureon_gateway
< 1.1.3
Published
Feb 12, 2018
Tracked Since
Feb 18, 2026