CWE-862: Missing Authorization vulnerability exists that could cause unauthorized access when enabled on the network and potentially impacting connected devices.
The vulnerability consists of a lack of authorization mechanisms protecting specific functions or resources of the EcoStruxure IT Gateway system. An unauthenticated remote attacker, without requiring user interaction, can gain access to protected resources over the network. As a result, it is also possible to impact devices connected to the gateway.
An attacker can gain unauthorized access to the IT infrastructure management system and potentially affect the availability, integrity, and confidentiality of data and connected devices. Due to the network vector and lack of prerequisites, the scope of possible damage is very broad.
Apply patches available from the manufacturer according to references — detailed information about versions is contained in the Schneider Electric security bulletin available at: https://download.schneider-electric.com/doc/SEVD-2024-317-04/SEVD-2024-317-04.pdf
Schneider Electric EcoStruxure IT Gateway — versions specified in manufacturer references (document SEVD-2024-317-04)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XSchneider Electric Ecostruxure It Gateway
APPSchneider-Electric1.21.0.61.22.0.31.22.1.51.23.0.4
Related vulnerabilities
CWE-798: Use of hard-coded credentials vulnerability exists that could cause local privilege escalation when l...
In Fazecast jSerialComm, Version 2.2.2 and prior, an uncontrolled search path element vulnerability could allo...
A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unw...
Ujawnienie poświadczeń w urządzeniu Schneider Electric WHC-5918A
Out-of-bounds Write umożliwiający Auth Bypass w Schneider Electric Sage RTU