CVE-2017-13997

moderate-risk

Published 2017-10-03

A Missing Authentication for Critical Function issue was discovered in Schneider Electric InduSoft Web Studio v8.0 SP2 or prior, and InTouch Machine Edition v8.0 SP2 or prior. InduSoft Web Studio provides the capability for an HMI client to trigger script execution on the server for the purposes of performing customized calculations or actions. A remote malicious entity could bypass the server authentication and trigger the execution of an arbitrary command. The command is executed under high privileges and could lead to a complete compromise of the server.

Do I need to act?

1.6% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (2)

Wonderware Indusoft Web Studio

Wonderware Intouch

Affected Vendors

Schneider-Electric

References (4)

Third Party Advisory http://www.securityfocus.com/bid/100952

Mitigation https://ics-cert.us-cert.gov/advisories/ICSA-17-264-01

Third Party Advisory http://www.securityfocus.com/bid/100952

Mitigation https://ics-cert.us-cert.gov/advisories/ICSA-17-264-01

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 4/34 · Minimal

Exposure 7/34 · Low