CVE-2022-0222

moderate-risk

Published 2022-11-22

A CWE-269: Improper Privilege Management vulnerability exists that could cause a denial of service of the Ethernet communication of the controller when sending a specific request over SNMP. Affected products: Modicon M340 CPUs(BMXP34* versions prior to V3.40), Modicon M340 X80 Ethernet Communication modules:BMXNOE0100 (H), BMXNOE0110 (H), BMXNOR0200H RTU(BMXNOE* all versions)(BMXNOR* versions prior to v1.7 IR24)

Do I need to act?

0.33% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (14)

Modicon M340 Bmxp341000 Firmware

Modicon M340 Bmxp342000 Firmware

Modicon M340 Bmxp342010 Firmware

Modicon M340 Bmxp3420102 Firmware

Modicon M340 Bmxp342020 Firmware

Modicon M340 Bmxp342020H Firmware

Modicon M340 Bmxp342030 Firmware

Modicon M340 Bmxp3420302 Firmware

Modicon M340 Bmxp3420302H Firmware

Modicon M340 Bmxp342030H Firmware

Modicon M340 Bmxnoe0100 Firmware

Modicon M340 Bmxnoe0110 Firmware

Modicon M340 Bmxnoe0110H Firmware

Modicon M340 Bmxnor0200H Firmware

Affected Vendors

Schneider-Electric

References (2)

Vendor Advisory https://www.se.com/us/en/download/document/SEVD-2022-102-02/

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 18/34 · Moderate