CVE-2019-6852

moderate-risk

Published 2019-11-20

A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP hardcoded credentials when using the Web server of the controller on an unsecure network.

Do I need to act?

0.35% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (10)

Bmx P34X Firmware

Bmx Noe 0100 Firmware

Bmx Noe 0110 Firmware

Bmx Noc 0401 Firmware

Tsx P57X Firmware

Tsx Ety X103 Firmware

140 Cpu6X Firmware

140 Noe 771X1 Firmware

140 Noc 78X00 Firmware

140 Noc 77101 Firmware

Affected Vendors

Schneider-Electric

References (3)

Not Applicable https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-281-02/

Vendor Advisory https://www.se.com/ww/en/download/document/SEVD-2019-316-02%20/

Not Applicable https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-281-02/

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 16/34 · Moderate