CVE-2018-7777

HIGH

Schneider Electric U.motion Builder <1.3.4 - RCE

Title source: llm

Description

The vulnerability is due to insufficient handling of update_file request parameter on update_module.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target server.

Exploits (1)

exploitdb WORKING POC

by Cosmin Craciun · pythonwebappshardware

https://www.exploit-db.com/exploits/47991

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://www.schneider-electric.com/en/download/document/SEVD-2018-095-01/

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/156184/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html

Scores

CVSS v3 8.8

EPSS 0.1581

EPSS Percentile 94.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (1)

schneider-electric/u.motion_builder < 1.3.4

Published Jul 03, 2018

Tracked Since Feb 18, 2026