Rewterz Threat Advisory – ICS: Schneider Electric IGSS
June 9, 2021Rewterz Threat Advisory – CVE-2021-22749 – ICS: Schneider Electric Modicon X80
June 9, 2021Rewterz Threat Advisory – ICS: Schneider Electric IGSS
June 9, 2021Rewterz Threat Advisory – CVE-2021-22749 – ICS: Schneider Electric Modicon X80
June 9, 2021Severity
High
Analysis Summary
CVE-2021-27657
Metasys servers, engines, and tools do not properly assign, modify, track, or check privileges for an actor, thus creating an unintended sphere of control for the said actor. Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system.
Impact
- Improper Privilege Management
- Privilege Escalation
Affected Vendors
Johnson Controls
Affected Products
- Metasys all versions
Remediation
Refer to vendor advisory for the complete list of affected products and their respective patches at https://us-cert.cisa.gov/ics/advisories/icsa-21-159-01