CWE-787: Out-of-bounds Write vulnerability exists that could result in an authentication bypass when sending a malformed POST request and particular configuration parameters are set.
An attacker sends a specially crafted HTTP POST request with an incorrect structure to the device (malformed POST request). In combination with specific device configuration, this causes data to be written outside the intended memory area (out-of-bounds write), which leads to bypassing the authentication process. The vulnerability is accessible over the network without requiring any credentials.
A successful exploit allows an attacker to bypass authentication and gain unauthorized access to the device, which in industrial environments (OT/ICS) can lead to violations of confidentiality, integrity, and availability of controlled systems.
Security patches available from the manufacturer should be applied in accordance with the references — Schneider Electric security bulletin SEVD-2024-163-05 available at the address indicated in the references. Additionally, it is recommended to verify and restrict the configuration of vulnerable parameters and isolate RTU devices from external networks.
Schneider Electric Sage RTU Firmware and devices: Sage 1410, Sage 1430, Sage 1450, Sage 2400 — specific firmware versions indicated in the manufacturer's references (SEVD-2024-163-05)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSchneider Electric Sage 1410
HWSchneider-Electricwszystkie wersjeSchneider Electric Sage 1430
HWSchneider-Electricwszystkie wersjeSchneider Electric Sage 1450
HWSchneider-Electricwszystkie wersjeSchneider Electric Sage 2400
HWSchneider-Electricwszystkie wersjeSchneider Electric Sage 3030 Magnum
HWSchneider-Electricwszystkie wersjeSchneider Electric Sage 4400
HWSchneider-Electricwszystkie wersjeSchneider Electric Sage Rtu Firmware
OSSchneider-Electric≤ c3414-500-s02k5_p8
Related vulnerabilities
CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated user with access...
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability exists th...
CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service of the device’s web interf...
CWE-252: Unchecked Return Value vulnerability exists that could cause denial of service of the device when an ...
CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability exists that coul...