CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
30.2%
Successful exploitation of these vulnerabilities may allow an attacker to execute arbitrary code on the host PC, leading to sensitive information disclosure or unintended user actions.
The following versions of GUIcon software are affected
This vulnerability may cause arbitrary code execution when a malicious *.gd1 configuration file is loaded into the GUIcon tool.
CVE-2021-22807 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
This vulnerability may cause arbitrary code execution when a malicious *.gd1 configuration file is loaded into the GUIcon tool.
CVE-2021-22808 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
This vulnerability may cause arbitrary code execution when a malicious *.gd1 configuration file is loaded into the GUIcon tool.
CVE-2021-22809 has been assigned to this vulnerability. A CVSS v3 base score of 4.4 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L).
Michael Heinzl reported these vulnerabilities to CISA.
The GUIcon software tool was discontinued in June 2020 and is no longer supported. Users should immediately apply the following mitigation to reduce the risk of exploit:
Schneider Electric strongly recommends the following industry cybersecurity best practices:
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22807
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22808
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22809
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-21-313-02
cwe.mitre.org/data/definitions/125.html
cwe.mitre.org/data/definitions/416.html
cwe.mitre.org/data/definitions/787.html
download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-313-07
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Schneider%20Electric%20GUIcon+https://www.cisa.gov/news-events/ics-advisories/icsa-21-313-02
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-21-313-02&title=Schneider%20Electric%20GUIcon
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-21-313-02
www.oig.dhs.gov/
www.se.com/us/en/download/document/7EN52-0390/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Schneider%20Electric%20GUIcon&body=www.cisa.gov/news-events/ics-advisories/icsa-21-313-02
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
30.2%