CVE-2021-22779
CRITICALSchneider-electric Ecostruxure Control Expert < 15.0 - Authentication Bypass by Spoofing
Title source: ruleDescription
Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), SCADAPack RemoteConnect for x70 (all versions), Modicon M580 CPU (all versions - part numbers BMEP* and BMEH*), Modicon M340 CPU (all versions - part numbers BMXP34*), that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-01
Scores
CVSS v3
9.1
EPSS
0.0019
EPSS Percentile
40.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-290
Status
published
Products (33)
schneider-electric/ecostruxure_control_expert
15.0 (2 CPE variants)
schneider-electric/ecostruxure_control_expert
< 15.0
schneider-electric/ecostruxure_process_expert
schneider-electric/modicon_m340_bmxp341000_firmware
schneider-electric/modicon_m340_bmxp342010_firmware
schneider-electric/modicon_m340_bmxp342020_firmware
schneider-electric/modicon_m340_bmxp342030_firmware
schneider-electric/modicon_m580_bmeh582040_firmware
schneider-electric/modicon_m580_bmeh582040c_firmware
schneider-electric/modicon_m580_bmeh582040s_firmware
... and 23 more
Published
Jul 14, 2021
Tracked Since
Feb 18, 2026