Cyber Resilience

CVE-2022-26507

Critical

Published: 14 April 2022

Published
14 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0670 91.5th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26507 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Schneider-Electric Ecostruxure Control Expert. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A heap-based buffer overflow vulnerability tracked as CVE-2022-26507 affects the XML Decompression DecodeTreeBlock function in AT&T Labs Xmill version 0.7. The flaw, assigned CWE-787, permits a crafted input file to trigger memory corruption and carries a CVSS 3.1 score of 9.8. The issue is distinct from several earlier Xmill CVEs and is stated to impact only products that are no longer supported by the maintainer.

An unauthenticated attacker can supply a malicious XML file over the network to achieve remote code execution, resulting in full compromise of confidentiality, integrity, and availability without requiring user interaction. The attack vector is rated as network-reachable with low complexity.

Public references point to Claroty research and Schneider Electric security advisory SEVD-2021-222-02, which address related impacts in downstream products that incorporated the affected Xmill component. No patches are available because the original maintainer has discontinued support. The associated EPSS score has remained flat at 0.0670 with no material increase since disclosure.

EU & UK References

Vulnerability details

A heap-based buffer overflow exists in XML Decompression DecodeTreeBlock in AT&T Labs Xmill 0.7. A crafted input file can lead to remote code execution. This is not the same as any of: CVE-2021-21810, CVE-2021-21811, CVE-2021-21812, CVE-2021-21815, CVE-2021-21825, CVE-2021-21826, CVE-2021-21828, CVE-2021-21829,…

more

or CVE-2021-21830. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

att
xmill
0.7
schneider-electric
ecostruxure control expert
15.1 · ≤ 15.1
schneider-electric
ecostruxure process expert
≤ 2021
schneider-electric
remoteconnect
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References