Multiple vulnerabilities in Schneider Electric Zelio Soft 2

Published: 2024-10-16 | Updated: 2024-10-18

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2024-8422 CVE-2024-8518
CWE-ID	CWE-416 CWE-20
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Zelio Soft 2 Hardware solutions / Firmware
Vendor	Schneider Electric

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU98737

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-8422

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error. A remote attacker can trick a victim to open a specially crafted Zelio Soft 2 project file and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zelio Soft 2: before 5.4.2.2

CPE2.3

cpe:2.3:h:schneider_electric:zelio_soft_2:*:*:*:*:*:*:*:

External links

http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-282-06&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-282-06.pdf
http://www.cisa.gov/news-events/ics-advisories/icsa-24-284-14
http://www.zerodayinitiative.com/advisories/ZDI-24-1415/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU98738

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-8518

CWE-ID: CWE-20 - Improper input validation