1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Schneider Electric
- Equipment: Harmony HMI and Pro-face HMI Products
- Vulnerability: Use of Unmaintained Third-Party Components
2. RISK EVALUATION
Successful exploitation of this vulnerability could cause complete control of the device when an authenticated user installs malicious code into HMI product
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports the following versions of Harmony HMI and Pro-face HMI are affected:
- Harmony HMIST6: All versions
- Harmony HMISTM6: All versions
- Harmony HMIG3U: All versions
- Harmony HMIG3X: All versions
- Harmony HMISTO7 series with Ecostruxure Operator Terminal Expert runtime: All versions
- PFXST6000: All versions
- PFXSTM6000: All versions
- PFXSP5000: All versions
- PFXGP4100 series with Pro-face BLUE runtime: All versions
3.2 Vulnerability Overview
3.2.1 USE OF UNMAINTAINED THIRD-PARTY COMPONENTS CWE-1104
The affected product is vulnerable to a use of an unmaintained third-party component vulnerability that could cause complete control of the device when an authenticated user installs malicious code into HMI product.
CVE-2024-11999 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-11999. A base score of 8.7 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories