CVE-2020-7541

MEDIUM

Schneider Electric Modicon M340 - Unauthenticated Sensitive Data Exposure

Title source: llm

Description

A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://www.se.com/ww/en/download/document/SEVD-2020-343-03/

Scores

CVSS v3 5.3

EPSS 0.0087

EPSS Percentile 53.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-425

Status published

Products (20)

schneider-electric/140cpu65150_firmware < 6.1

schneider-electric/140noc77101_firmware < 1.08

schneider-electric/140noc78000_firmware < 1.74

schneider-electric/140noc78100_firmware < 1.74

schneider-electric/140noe77111_firmware < 7.1

schneider-electric/bmxnoc0401_firmware < 2.10

schneider-electric/bmxnoe0100_firmware < 3.3

schneider-electric/bmxnoe0110_firmware < 6.5

schneider-electric/modicon_m340_bmxp341000_firmware < 3.30

schneider-electric/modicon_m340_bmxp342000_firmware < 3.30

... and 10 more

Published Dec 11, 2020

Tracked Since Feb 18, 2026