1. EXECUTIVE SUMMARY
- CVSS v4 6.9
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Schneider Electric
- Equipment: Modicon M340, BMXNOE0100, and BMXNOE0110
- Vulnerability: Files or Directories Accessible to External Parties
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow attackers to prevent firmware updates and disrupt the webserver’s proper behavior by removing specific files or directories from the filesystem.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
- Modicon M340: All versions
- Modbus/TCP Ethernet Modicon M340 module: Versions prior to SV3.60
- Modbus/TCP Ethernet Modicon M340 FactoryCast module: Versions prior to SV6.80
3.2 VULNERABILITY OVERVIEW
3.2.1 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552
A Files or Directories Accessible to External Parties vulnerability exists which may prevent user to update the device firmware and prevent proper behavior of the webserver when specific files or directories are removed from the filesystem.
CVE-2024-5056 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2024-5056. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: