CVE-2022-37301
high-risk
Published 2022-11-22
A CWE-191: Integer Underflow (Wrap or Wraparound) vulnerability exists that could cause a denial of service of the controller due to memory access violations when using the Modbus TCP protocol. Affected products: Modicon M340 CPU (part numbers BMXP34*)(V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*)(V3.22 and prior), Legacy Modicon Quantum/Premium(All Versions), Modicon Momentum MDI (171CBU*)(All Versions), Modicon MC80 (BMKC80)(V1.7 and prior)
Do I need to act?
-
0.54% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Modicon M340 Bmx P34-2010 Firmware
Modicon M340 Bmx P34-2030 Firmware
Modicon M580 Bmeh582040 Firmware
Modicon M580 Bmeh582040C Firmware
Modicon M580 Bmeh582040S Firmware
Modicon M580 Bmeh584040 Firmware
Modicon M580 Bmeh584040C Firmware
Modicon M580 Bmeh584040S Firmware
Modicon M580 Bmeh586040 Firmware
Modicon M580 Bmeh586040C Firmware
Modicon M580 Bmeh586040S Firmware
Modicon M580 Bmep581020 Firmware
Modicon M580 Bmep581020H Firmware
Modicon M580 Bmep582020 Firmware
Modicon M580 Bmep582020H Firmware
Modicon M580 Bmep582040 Firmware
Modicon M580 Bmep582040H Firmware
Modicon M580 Bmep582040S Firmware
Modicon M580 Bmep583020 Firmware
Modicon M580 Bmep583040 Firmware
Affected Vendors
References (2)
Vendor Advisory
https://www.se.com/us/en/download/document/SEVD-2022-221-02/
Vendor Advisory
https://www.se.com/us/en/download/document/SEVD-2022-221-02/
53
/ 100
high-risk
Severity
26/34 · High
Exploitability
2/34 · Minimal
Exposure
25/34 · High