CVE-2020-25176
Published: 18 March 2022
Summary
CVE-2020-25176 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Schneider-Electric Pacis Gtw Firmware. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 12.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-17867
Vulnerability details
Some commands used by the Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it…
more
is possible for a remote, unauthenticated attacker to traverse an application’s directory, which could lead to remote code execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.