1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Schneider Electric
- Equipment: ASCO 5310 / 5350
- Vulnerabilities: Download of Code Without Integrity Check, Allocation of Resources Without Limits or Throttling, Cleartext Transmission of Sensitive Information, Unrestricted Upload of File with Dangerous Type
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to perform a denial of service, loss of availability, or loss of device integrity.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports the following products are affected:
- Schneider Electric ASCO 5310 Single-Channel Remote Annunciator: All versions
- Schneider Electric ASCO 5350 Eight Channel Remote Annunciator: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK CWE-494
Schneider Electric ASCO 5310 / 5350 remote annunciator is vulnerable to a download of code without integrity check vulnerability that could render the device inoperable when malicious firmware is downloaded.
CVE-2025-1058 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-1058. A base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: