CVE-2014-9188

Schneider Electric ProClima Command Injection

Description

Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8513 and CVE-2014-8514. NOTE: this may be clarified later based on details provided by researchers.

Remediation

Solution:

  • Schneider Electric has released an updated version of the ProClima software, Version 6.1.7, which mitigates these vulnerabilities. Customers are encouraged to download the new version and update their installations. It is important that customers first uninstall the current version. The new version can be downloaded from Schneider Electric’s web site at the following location: http://www.schneider-electric.com/ww/en/download/document/ProClima_software For further information on these vulnerabilities, please see Schneider Electric’s security notification (SEVD 2014-344-01) at Schneider Electric’s cybersecurity web page: http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page%20

Categories

10.0
CVSS
Severity: Critical
CVSS 2.0 •
EPSS 3.04% Top 15%
Vendor Advisory schneider-electric.com
Affected: Schneider Electric ProClima
Published at:
Updated at:

References

Link Tags
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-344-01 patch vendor advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-14-350-01
https://ics-cert.us-cert.gov/advisories/ICSA-14-350-01 patch third party advisory us government resource

Frequently Asked Questions

What is the severity of CVE-2014-9188?
CVE-2014-9188 has been scored as a critical severity vulnerability.
How to fix CVE-2014-9188?
To fix CVE-2014-9188: Schneider Electric has released an updated version of the ProClima software, Version 6.1.7, which mitigates these vulnerabilities. Customers are encouraged to download the new version and update their installations. It is important that customers first uninstall the current version. The new version can be downloaded from Schneider Electric’s web site at the following location: http://www.schneider-electric.com/ww/en/download/document/ProClima_software For further information on these vulnerabilities, please see Schneider Electric’s security notification (SEVD 2014-344-01) at Schneider Electric’s cybersecurity web page: http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page%20
Is CVE-2014-9188 being actively exploited in the wild?
It is possible that CVE-2014-9188 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~3% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2014-9188?
CVE-2014-9188 affects Schneider Electric ProClima.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.