1. EXECUTIVE SUMMARY
- CVSS v3 8.5
- ATTENTION: Low attack complexity
- Vendor: Schneider Electric
- Equipment: EVlink Home Smart and Schneider Charge
- Vulnerability: Cleartext Storage of Sensitive Information
2. RISK EVALUATION
Successful exploitation of this vulnerability may expose test credentials in the firmware binary.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following EVlink Home Smart and Schneider Charge charging stations are affected:
- EVlink Home Smart: All versions prior to 2.0.6.0.0
- Schneider Charge: All versions prior to 1.13.4
3.2 VULNERABILITY OVERVIEW
3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312
A cleartext storage of sensitive information vulnerability exists that exposes test credentials in the firmware binary.
CVE-2024-8070 has been assigned to this vulnerability. A CVSS v3 base score of 8.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
- COUNTRIES/AREAS DEPLOYED: Europe, Asia Pacific, Middle East, and Africa
- COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER
Simon Petitjean reported this vulnerability to Schneider Electric.
4. MITIGATIONS
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:
- EVlink Home Smart: For already connected products, Version 2.0.6.0.0 of EVlink Home Smart includes a fix
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: