ID

VAR-202209-0597


CVE

CVE-2022-37300


TITLE

Multiple Schneider Electric Product Authorization Issue Vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202209-725

DESCRIPTION

A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34*) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*) (V3.20 and prior).

Trust: 1.0

sources: NVD: CVE-2022-37300

AFFECTED PRODUCTS

vendor:schneider electricmodel:modicon m580 bmep582020scope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m340 bmxp3420302scope:ltversion:3.50

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmep585040cscope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmep581020hscope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m340 bmxp342000scope:ltversion:3.50

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmep584020scope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmeh582040sscope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmep583020scope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmep582040hscope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmep584040sscope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m340 bmxp342020hscope:ltversion:3.50

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmeh582040cscope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmep581020scope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmep582040scope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmeh584040scope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m340 bmxp3420102scope:ltversion:3.50

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmeh584040cscope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmep582020hscope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmep586040scope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m340 bmxp342030scope:ltversion:3.50

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmep586040cscope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:ecostruxure process expertscope:lteversion:2021

Trust: 1.0

vendor:schneider electricmodel:modicon m340 bmxp342020scope:ltversion:3.50

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmeh584040sscope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmeh586040scope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmep584040scope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmep585040scope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmep583040scope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmeh586040sscope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:ecostruxure control expertscope:ltversion:15.1

Trust: 1.0

vendor:schneider electricmodel:modicon m340 bmxp3420302hscope:ltversion:3.50

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmeh582040scope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m580 bmeh586040cscope:ltversion:4.02

Trust: 1.0

vendor:schneider electricmodel:modicon m340 bmxp342010scope:ltversion:3.50

Trust: 1.0

vendor:schneider electricmodel:modicon m340 bmxp342030hscope:ltversion:3.50

Trust: 1.0

vendor:schneider electricmodel:modicon m340 bmxp341000scope:ltversion:3.50

Trust: 1.0

sources: NVD: CVE-2022-37300

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-37300
value: CRITICAL

Trust: 1.0

CNNVD: CNNVD-202209-725
value: CRITICAL

Trust: 0.6

NVD: CVE-2022-37300
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CNNVD: CNNVD-202209-725 // NVD: CVE-2022-37300

PROBLEMTYPE DATA

problemtype:CWE-640

Trust: 1.0

sources: NVD: CVE-2022-37300

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202209-725

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202209-725

CONFIGURATIONS

sources: NVD: CVE-2022-37300

PATCH

title:Multiple Schneider Electric Product Authorization Issue Vulnerability Fixing Measuresurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=207862

Trust: 0.6

sources: CNNVD: CNNVD-202209-725

EXTERNAL IDS

db:NVDid:CVE-2022-37300

Trust: 1.6

db:SCHNEIDERid:SEVD-2022-221-01

Trust: 1.6

db:CNNVDid:CNNVD-202209-725

Trust: 0.6

sources: CNNVD: CNNVD-202209-725 // NVD: CVE-2022-37300

REFERENCES

url:https://www.se.com/us/en/download/document/sevd-2022-221-01/

Trust: 1.6

url:https://cxsecurity.com/cveshow/cve-2022-37300/

Trust: 0.6

sources: CNNVD: CNNVD-202209-725 // NVD: CVE-2022-37300

SOURCES

db:CNNVDid:CNNVD-202209-725
db:NVDid:CVE-2022-37300

LAST UPDATE DATE

2022-09-16T22:28:54.978000+00:00


SOURCES UPDATE DATE

db:CNNVDid:CNNVD-202209-725date:2022-09-16T00:00:00
db:NVDid:CVE-2022-37300date:2022-09-15T17:30:00

SOURCES RELEASE DATE

db:CNNVDid:CNNVD-202209-725date:2022-09-12T00:00:00
db:NVDid:CVE-2022-37300date:2022-09-12T18:15:00