CVE-2024-11999

CVSS 8.7 HIGHEPSS 0.6%CWE-1104

In short

A vulnerability in HMI products allows an authenticated user to install malicious code that could give attackers complete control of the device. This happens because the product uses outdated third-party components that are no longer maintained and supported.

Technical detail

CWE-1104 involves use of unmaintained third-party components in HMI software. An authenticated attacker can exploit this by installing malicious code through the HMI interface, leveraging unpatched vulnerabilities in the third-party dependencies to achieve arbitrary code execution and full device compromise.

Summary generated and translated by AI from the official description.

CWE-1104: Use of Unmaintained Third-Party Components vulnerability exists that could cause complete control of the device when an authenticated user installs malicious code into HMI product.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Schneider Electric · Harmony (Formerly Magelis) HMIST6, HMISTM6, HMIG3U, HMIG3X, HMISTO7 series with EcoStruxure Operator Terminal Expert runtime Schneider Electric · PFXST6000, PFXSTM6000, PFXSP5000, PFXGP4100 series with Pro-face BLUE runtime

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-345-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-345-02.pdf