CWE-200: Information Exposure vulnerability exists that could cause disclosure of credentials when a specially crafted message is sent to the device.
An attacker sends a specially crafted network message to the device (accessible without authentication and from any network location). Due to a CWE-200 (Information Exposure) class vulnerability, the device discloses stored access credentials. The entire attack requires no privileges or user interaction.
An attacker can obtain access credentials to the device, which consequently may lead to full takeover of the device, unauthorized access to the industrial network, and violation of system confidentiality, integrity, and availability.
Apply patches available from the manufacturer in accordance with security bulletin SEVD-2024-191-01 available on the Schneider Electric website. Until the patch is implemented, it is recommended to restrict network access to the device only to trusted hosts and segment the industrial network.
Schneider Electric WHC-5918A and its firmware — specific versions indicated in manufacturer references (SEVD-2024-191-01)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSchneider Electric Whc 5918a
HWSchneider-Electricwszystkie wersjeSchneider Electric Whc 5918a Firmware
OSSchneider-Electricwszystkie wersje
Related vulnerabilities
A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unw...
Brak autoryzacji w Schneider Electric EcoStruxure IT Gateway (CVSS 10.0)
Out-of-bounds Write umożliwiający Auth Bypass w Schneider Electric Sage RTU
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability ex...
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute a...