CVE-2020-28221

2021-01-2517:08:37

CWE-20

schneider

www.cve.org

9.7 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.9%

JSON

A CWE-20: Improper Input Validation vulnerability exists in EcoStruxure™ Operator Terminal Expert and Pro-face BLUE (version details in the notification) that could cause arbitrary code execution when the Ethernet Download feature is enable on the HMI.

CNA Affected

[
  {
    "product": "EcoStruxure™ Operator Terminal Expert 3.1 Service Pack 1A and prior running on Harmony HMIs HMIST6 Series, HMIG3U in HMIGTU Series, HMISTO Series and Pro-face BLUE 3.1 Service Pack 1A and prior running on Pro-face HMIs: ST6000 Series, SP-5B41 in SP5000 Series, GP4100 Series",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "EcoStruxure™ Operator Terminal Expert 3.1 Service Pack 1A and prior running on Harmony HMIs HMIST6 Series, HMIG3U in HMIGTU Series, HMISTO Series and Pro-face BLUE 3.1 Service Pack 1A and prior running on Pro-face HMIs: ST6000 Series, SP-5B41 in SP5000 Series, GP4100 Series"
      }
    ]
  }
]

References

www.se.com/ww/en/download/document/SEVD-2021-012-01/