9.1

CVE-2017-6026

Exploit

EPSS 14.76%
Veröffentlicht 30.06.2017 03:29:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle ics-cert@hq.dhs.gov
Teams Watchlist Login
Unerledigt Login

A Use of Insufficiently Random Values issue was discovered in Schneider Electric Modicon PLCs Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The session numbers generated by the web application are lacking randomization and are shared between several users. This may allow a current session to be compromised.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Schneider-electric ≫ Modicon M251 Firmware Version <= 4.0.3.20

Schneider-electric ≫ Modicon M251 Version-

Schneider-electric ≫ Modicon M241 Firmware Version <= 4.0.3.20

Schneider-electric ≫ Modicon M241 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	14.76%	0.941

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:P/I:P/A:N

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

http://www.securityfocus.com/bid/97254

Third Party Advisory

VDB Entry

https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02

Third Party Advisory

US Government Resource

https://www.exploit-db.com/exploits/45918/

Third Party Advisory

Exploit

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2017-6026

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-6026

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-6026

EUVD