CVE-2021-22785

moderate-risk
Published 2022-02-11

A CWE-200: Information Exposure vulnerability exists that could cause sensitive information of files located in the web root directory to leak when an attacker sends a HTTP request to the web server of the device. Affected Product: Modicon M340 CPUs: BMXP34 (Versions prior to V3.40), Modicon M340 X80 Ethernet Communication Modules: BMXNOE0100 (H), BMXNOE0110 (H), BMXNOC0401, BMXNOR0200H RTU (All Versions), Modicon Premium Processors with integrated Ethernet (Copro): TSXP574634, TSXP575634, TSXP576634 (All Versions), Modicon Quantum Processors with Integrated Ethernet (Copro): 140CPU65xxxxx (All Versions), Modicon Quantum Communication Modules: 140NOE771x1, 140NOC78x00, 140NOC77101 (All Versions), Modicon Premium Communication Modules: TSXETY4103, TSXETY5103 (All Versions)

Do I need to act?

-
0.40% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (14)

Bmxnoe0100 Firmware
Bmxnoe0110 Firmware
Bmxnoc0401 Firmware
Bmxnor0200H Rtu Firmware
Tsxp574634 Firmware
Tsxp575634 Firmware
Tsxp576634 Firmware
140Noe771X1 Firmware
140Noc78X00 Firmware
140Noc77101 Firmware
Tsxety4103 Firmware
Tsxety5103 Firmware

Affected Vendors

Schneider-Electric

References (2)

Patch https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-257-02
Patch https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-257-02
46
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 2/34 · Minimal
Exposure 18/34 · Moderate