Cyber Resilience

CVE-2022-37300

Critical

Published: 12 September 2022

Published
12 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0057 69.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-37300 is a critical-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Schneider-Electric Ecostruxure Control Expert. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 30.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name…

more

of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34*) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*) (V3.20 and prior).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

schneider-electric
ecostruxure control expert
≤ 15.1
schneider-electric
ecostruxure process expert
≤ 2021
schneider-electric
modicon m340 bmxp341000 firmware
≤ 3.50
schneider-electric
modicon m340 bmxp342000 firmware
≤ 3.50
schneider-electric
modicon m340 bmxp342010 firmware
≤ 3.50
schneider-electric
modicon m340 bmxp3420102 firmware
≤ 3.50
schneider-electric
modicon m340 bmxp342020 firmware
≤ 3.50
schneider-electric
modicon m340 bmxp342020h firmware
≤ 3.50
schneider-electric
modicon m340 bmxp342030 firmware
≤ 3.50
schneider-electric
modicon m340 bmxp3420302 firmware
≤ 3.50
+26 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-640

Establishing procedures for lost or compromised authenticators addresses weak password recovery mechanisms.

References