ExploitCVE-2024-8530
Missing Authentication for Critical Function (CWE-306)
Summary
A vulnerability in Schneider Electric EcoStruxure Data Center Expert allows remote attackers to disclose sensitive information without requiring authentication. The specific flaw is in the handling of log files, where there is a lack of authentication prior to allowing access to functionality.
Impact
This vulnerability can be exploited by remote attackers to disclose sensitive information, which could lead to further compromise of the affected systems. The attack vector is network-based, and no user interaction is required. While the attack complexity is high, it does not require any privileges to exploit. The confidentiality impact is high, but there is no impact on integrity or availability.
Exploitation
One proof-of-concept exploit is available on zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. Schneider Electric has released EcoStruxure IT Data Center Expert version 8.2.0, which addresses this vulnerability.
Mitigation
1. Update to EcoStruxure IT Data Center Expert version 8.2.0 or later. 2. Implement network segmentation and access controls to limit exposure of the affected systems. 3. Monitor log files and system access for any suspicious activities. 4. Implement strong authentication mechanisms for all critical functions. 5. Follow the principle of least privilege for user accounts and system access.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Timeline
Feedly found the first article mentioning CVE-2024-8530. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-8530
A CVSS base score of 5.9 has been assigned.
Feedly estimated the CVSS score as MEDIUM
EPSS Score was set to: 0.04% (Percentile: 9.7%)