CRITICAL🇵🇱 Wersja polska

CVE-2024-6407

CVSS 9.8v3.1pub. 2024-07-11upd. 2024-11-21

CWE-200: Information Exposure vulnerability exists that could cause disclosure of credentials when a specially crafted message is sent to the device.

🤖 AI Analysis
How it works

An attacker sends a specially crafted network message to the device (accessible without authentication and from any network location). Due to a CWE-200 (Information Exposure) class vulnerability, the device discloses stored access credentials. The entire attack requires no privileges or user interaction.

Impact

An attacker can obtain access credentials to the device, which consequently may lead to full takeover of the device, unauthorized access to the industrial network, and violation of system confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the manufacturer in accordance with security bulletin SEVD-2024-191-01 available on the Schneider Electric website. Until the patch is implemented, it is recommended to restrict network access to the device only to trusted hosts and segment the industrial network.

Who is affected

Schneider Electric WHC-5918A and its firmware — specific versions indicated in manufacturer references (SEVD-2024-191-01)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Schneider Electric Whc 5918a

    HW
    Schneider-Electric
    wszystkie wersje
  • Schneider Electric Whc 5918a Firmware

    OS
    Schneider-Electric
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2018-7841CRITICAL9.8⚠ KEVten sam vendor

A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unw...

CVE-2024-10575CRITICAL10.0PL ✓ten sam vendor

Brak autoryzacji w Schneider Electric EcoStruxure IT Gateway (CVSS 10.0)

CVE-2024-37036CRITICAL9.8PL ✓ten sam vendor

Out-of-bounds Write umożliwiający Auth Bypass w Schneider Electric Sage RTU

CVE-2023-5399CRITICAL9.8ten sam vendor

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability ex...

CVE-2023-5391CRITICAL9.8ten sam vendor

A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute a...