CVE-2021-22797
HIGHEcoStruxure Control Expert <15.1 & Process Expert <2021 - RCE via Malicious Project File
Title source: llmDescription
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file is loaded in the engineering software. Affected Product: EcoStruxure Control Expert (V15.0 SP1 and prior, including former Unity Pro), EcoStruxure Process Expert (2020 and prior, including former HDCS), SCADAPack RemoteConnect for x70 (All versions)
References (1)
Core 1
Core References
Mitigation, Patch, Vendor Advisory x_refsource_misc
https://www.se.com/ww/en/download/document/SEVD-2021-257-01/
Scores
CVSS v3
7.8
EPSS
0.0097
EPSS Percentile
76.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (3)
schneider-electric/ecostruxure_control_expert
< 15.1
schneider-electric/ecostruxure_process_expert
< 2021
schneider-electric/remoteconnect
Published
Apr 13, 2022
Tracked Since
Feb 18, 2026