Vulnerability Details : CVE-2022-41669
A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists in the SGIUtility component that allows adversaries with local user privileges to load a malicious DLL which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).
Products affected by CVE-2022-41669
- cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:*:*:*:*:*:*:*:*
- cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:-:*:*:*:*:*:*
- cpe:2.3:a:schneider-electric:ecostruxure_operator_terminal_expert:3.3:hotfix1:*:*:*:*:*:*
- cpe:2.3:a:schneider-electric:pro-face_blue:*:*:*:*:*:*:*:*
- cpe:2.3:a:schneider-electric:pro-face_blue:3.3:-:*:*:*:*:*:*
- cpe:2.3:a:schneider-electric:pro-face_blue:3.3:hotfix1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-41669
0.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 4 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-41669
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.0
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.0
|
5.9
|
Schneider Electric SE | |
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2022-41669
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: cybersecurity@se.com (Primary)
References for CVE-2022-41669
-
https://www.se.com/ww/en/download/document/SEVD-2022-284-01/
Security Notification - EcoStruxure Operator Terminal Expert and Pro-face BLUE Security and Safety Notice | Schneider ElectricPatch;Vendor Advisory
Jump to