CVE-2020-7475

moderate-risk

Published 2020-03-23

A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), reflective DLL, vulnerability exists in EcoStruxure Control Expert (all versions prior to 14.1 Hot Fix), Unity Pro (all versions), Modicon M340 (all versions prior to V3.20), Modicon M580 (all versions prior to V3.10), which, if exploited, could allow attackers to transfer malicious code to the controller.

Do I need to act?

0.57% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (4)

Ecostruxure Control Expert

Unity Pro

Modicon M340 Firmware

Modicon M580 Firmware

Affected Vendors

Schneider-Electric

References (2)

Vendor Advisory http://www.se.com/ww/en/download/document/SEVD-2020-080-01

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 2/34 · Minimal

Exposure 10/34 · Low