CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
89.4%
Added: 03/14/2016
CVE: CVE-2016-2278
The Schneider Electric StruxureWare Building Operation software suite provides integrated monitoring, control, and management of energy, HVAC, lighting and fire safety. The Automation Server is a building automation system for small and medium-sized buildings.
A vulnerability in the Automation Server product allows remote, authenticated users to bypass the **msh**
(minimal shell) restrictions and execute arbitrary operating system commands. This vulnerability can be exploited using the default admin account if the password has not been changed.
See SEVD-2016-025-01 for fix information.
<https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01>
<https://www.exploit-db.com/exploits/39522/>
Exploit works on Automation Server 1.7 and earlier if the default admin password has not been changed.
Linux
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
89.4%