CRITICAL🇵🇱 Wersja polska

CVE-2024-10575

CVSS 10.0v4.0pub. 2024-11-13upd. 2024-11-19

CWE-862: Missing Authorization vulnerability exists that could cause unauthorized access when enabled on the network and potentially impacting connected devices.

🤖 AI Analysis
How it works

The vulnerability consists of a lack of authorization mechanisms protecting specific functions or resources of the EcoStruxure IT Gateway system. An unauthenticated remote attacker, without requiring user interaction, can gain access to protected resources over the network. As a result, it is also possible to impact devices connected to the gateway.

Impact

An attacker can gain unauthorized access to the IT infrastructure management system and potentially affect the availability, integrity, and confidentiality of data and connected devices. Due to the network vector and lack of prerequisites, the scope of possible damage is very broad.

Mitigation & patch

Apply patches available from the manufacturer according to references — detailed information about versions is contained in the Schneider Electric security bulletin available at: https://download.schneider-electric.com/doc/SEVD-2024-317-04/SEVD-2024-317-04.pdf

Who is affected

Schneider Electric EcoStruxure IT Gateway — versions specified in manufacturer references (document SEVD-2024-317-04)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Schneider Electric Ecostruxure It Gateway

    APP
    Schneider-Electric
    1.21.0.61.22.0.31.22.1.51.23.0.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-0865HIGH7.8ten sam produkt

CWE-798: Use of hard-coded credentials vulnerability exists that could cause local privilege escalation when l...

CVE-2020-10626HIGH7.8ten sam produkt

In Fazecast jSerialComm, Version 2.2.2 and prior, an uncontrolled search path element vulnerability could allo...

CVE-2018-7841CRITICAL9.8⚠ KEVten sam vendor

A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unw...

CVE-2024-6407CRITICAL9.8PL ✓ten sam vendor

Ujawnienie poświadczeń w urządzeniu Schneider Electric WHC-5918A

CVE-2024-37036CRITICAL9.8PL ✓ten sam vendor

Out-of-bounds Write umożliwiający Auth Bypass w Schneider Electric Sage RTU