Ecostruxure Machine Expert
CVE-2020-7489
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability exists on EcoStruxure Machine Expert - Basic or SoMachine Basic programming software (versions in security notification). The result of this vulnerability, DLL substitution, could allow the transference of malicious code to the controller.
AnalysisAI
A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability exists on EcoStruxure Machine Expert - Basic or SoMachine Basic programming. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-74. A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability exists on EcoStruxure Machine Expert - Basic or SoMachine Basic programming software (versions in security notification). The result of this vulnerability, DLL substitution, could allow the transference of malicious code to the controller. Affected products include: Schneider-Electric Ecostruxure Machine Expert, Schneider-Electric Somachine Basic, Schneider-Electric Modicon M100 Firmware, Schneider-Electric Modicon M200 Firmware, Schneider-Electric Modicon M221 Firmware.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Ecostruxure Machine Expert
View allA CWE-345: Insufficient Verification of Data Authenticity vulnerability exists which could allow the attacker to execute
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists in Harmony/HMI Products Confi
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause denial of
A CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists which could leak sensitive information t
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today