1. EXECUTIVE SUMMARY
- CVSS v4 8.5
- ATTENTION: Low Attack Complexity
- Vendor: Schneider Electric
- Equipment: Electric RemoteConnect and SCADAPack x70 Utilities
- Vulnerability: Deserialization of Untrusted Data
2. RISK EVALUATION
Successful exploitation of this vulnerability could lead to loss of confidentiality, integrity, and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
- RemoteConnect: All versions
- SCADAPackTM x70 Utilities: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502
A deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity, and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file.
CVE-2024-12703 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-12703. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: