CVE-2018-7240

moderate-risk

Published 2018-04-18

A vulnerability exists in Schneider Electric's Modicon Quantum in all versions of the communication modules which could allow arbitrary code execution. An FTP command used to upgrade the firmware of the module can be misused to cause a denial of service, or in extreme cases, to load a malicious firmware.

Do I need to act?

0.41% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (13)

140Cpu65150 Firmware

140Cpu31110 Firmware

140Cpu43412U Firmware

140Cpu65160 Firmware

140Cpu65260 Firmware

140Cpu65860 Firmware

140Cpu65160S Firmware

140Cpu65150C Firmware

140Cpu31110C Firmware

140Cpu43412Uc Firmware

140Cpu65160C Firmware

140Cpu65260C Firmware

140Cpu65860C Firmware

Affected Vendors

Schneider-Electric

References (6)

Third Party Advisory http://www.securityfocus.com/bid/103541

Third Party Advisory https://ics-cert.us-cert.gov/advisories/ICSA-18-086-01

Vendor Advisory https://www.schneider-electric.com/en/download/document/SEVD-2018-081-01/

Third Party Advisory http://www.securityfocus.com/bid/103541

Third Party Advisory https://ics-cert.us-cert.gov/advisories/ICSA-18-086-01

Vendor Advisory https://www.schneider-electric.com/en/download/document/SEVD-2018-081-01/

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 2/34 · Minimal

Exposure 17/34 · Moderate