CVE-2014-0754

Schneider Electric

Description

Directory traversal vulnerability in SchneiderWEB on Schneider Electric Modicon PLC Ethernet modules 140CPU65x Exec before 5.5, 140NOC78x Exec before 1.62, 140NOE77x Exec before 6.2, BMXNOC0401 before 2.05, BMXNOE0100 before 2.9, BMXNOE0110x Exec before 6.0, TSXETC101 Exec before 2.04, TSXETY4103x Exec before 5.7, TSXETY5103x Exec before 5.9, TSXP57x ETYPort Exec before 5.7, and TSXP57x Ethernet Copro Exec before 5.5 allows remote attackers to visit arbitrary resources via a crafted HTTP request.

Remediation

Solution:

  • Please see Schneider Electric’s vulnerability disclosure (SEVD-2014-260-01)Schneider Electric Vulnerability Disclosure – Modicon Ethernet Comm Modules - SEVD-2014-260-01 - http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2014-260-01 . for more detailed information on which product part numbers are affected, as well as the complete list of which devices have released firmware updates available. This vulnerability disclosure can be downloaded at the following URL:  http://www.schneider-electric.com/ww/en/download/

Workaround:

  • Search downloads for SEVD-14-260-01, then keyword SEVD-14-260-01 to download the vulnerability disclosure. This URL site can also be used to download firmware updates identified in the vulnerability disclosure. Schneider Electric also recommends the following measures to mitigate the vulnerability for the remaining affected devices: * Use a deep packet inspection firewall to prevent HTTP requests to the product that contains traversals in the URL. * Disable Port 80 (HTTP) on modules where it is possible. * Block Port 80 in firewalls to these devices, except for trusted devices. Please contact Schneider Electric Customer Care Center for more information.

Category

10.0
CVSS
Severity: Critical
CVSS 2.0 •
EPSS 5.41% Top 15%
Vendor Advisory schneider-electric.com
Affected: Schneider Electric Ethernet modules for M340, Quantum and Premium PLC ranges
Published at:
Updated at:

References

Link Tags
http://www.securityfocus.com/bid/70193 vdb entry third party advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-14-273-01
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2014-260-01
http://download.schneider-electric.com/files?p_Reference=SEVD-2014-260-01&p_EnDocType=Software%20-%20Updates&p_File_Id=608959359&p_File_Name=SEVD-2014-260-01.pdf patch vendor advisory
https://ics-cert.us-cert.gov/advisories/ICSA-14-273-01 third party advisory us government resource

Frequently Asked Questions

What is the severity of CVE-2014-0754?
CVE-2014-0754 has been scored as a critical severity vulnerability.
How to fix CVE-2014-0754?
To fix CVE-2014-0754: Please see Schneider Electric’s vulnerability disclosure (SEVD-2014-260-01)Schneider Electric Vulnerability Disclosure – Modicon Ethernet Comm Modules - SEVD-2014-260-01 - http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2014-260-01 . for more detailed information on which product part numbers are affected, as well as the complete list of which devices have released firmware updates available. This vulnerability disclosure can be downloaded at the following URL:  http://www.schneider-electric.com/ww/en/download/
Is CVE-2014-0754 being actively exploited in the wild?
It is possible that CVE-2014-0754 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~5% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2014-0754?
CVE-2014-0754 affects Schneider Electric Ethernet modules for M340, Quantum and Premium PLC ranges.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.