1. EXECUTIVE SUMMARY
- CVSS v3 7.1
- ATTENTION: Exploitable remotely
- Vendor: Schneider Electric
- Equipment: EcoStruxure Power Monitoring Expert (PME)
- Vulnerability: Deserialization of Untrusted Data
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to remotely execute code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
- EcoStruxure Power Monitoring Expert (PME): Versions 2022 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502
A deserialization of untrusted data vulnerability exists which could allow code to be remotely executed on the server when unsafely deserialized data is posted to the web server.
CVE-2024-9005 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER
Schneider Electric CPCERT reported this vulnerability to CISA.
4. MITIGATIONS
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:
- EcoStruxure Power Monitoring Expert 2021 and prior have reached end-of-life support. Users should consider upgrading to the latest version offering of PME to resolve this
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: