Weak Password Recovery EcoStruxure Control Expert <V15 & Modicon M340/M580 <V3.40
CVE-2022-37300 Published on September 12, 2022
A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34*) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*) (V3.20 and prior).
Vulnerability Analysis
CVE-2022-37300 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
Weak Password Recovery Mechanism for Forgotten Password
The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Products Associated with CVE-2022-37300
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-37300 are published in these products:
Affected Versions
Schneider Electric EcoStruxure Control Expert:- Version SP1, <= 15.0 is affected.
- Version V, <= 2021 is affected.
- Version BMXP34, <= 3.40 is affected.
- Version BMEP, <= 3.20 is affected.
- Version BMEH, <= 3.20 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.