CVE-2021-22797

moderate-risk
Published 2022-04-13

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file is loaded in the engineering software. Affected Product: EcoStruxure Control Expert (V15.0 SP1 and prior, including former Unity Pro), EcoStruxure Process Expert (2020 and prior, including former HDCS), SCADAPack RemoteConnect for x70 (All versions)

Do I need to act?

-
0.97% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.8/10 High
LOCAL / LOW complexity

Affected Products (3)

Ecostruxure Process Expert
Remoteconnect

Affected Vendors

Schneider-Electric

References (2)

Mitigation https://www.se.com/ww/en/download/document/SEVD-2021-257-01/
Mitigation https://www.se.com/ww/en/download/document/SEVD-2021-257-01/
36
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 3/34 · Minimal
Exposure 9/34 · Low