CVE-2020-25176
Rockwell Automation ISaGRAF5 Runtime Relative Path Traversal
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Some commands used by the Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote, unauthenticated attacker to traverse an application’s directory, which could lead to remote code execution.
Algunos comandos usados por el protocolo de Rockwell Automation ISaGRAF Runtime Versiones 4.x y 5.x eXchange Layer (IXL) llevan a cabo varias operaciones de archivo en el sistema de archivos. Dado que el parámetro que apunta al nombre del archivo no es comprobado en busca de caracteres reservados, es posible que un atacante remoto no autenticado recorra el directorio de una aplicación, lo que podría conllevar a una ejecución remota de código
*Credits:
Kaspersky reported these vulnerabilities to Rockwell Automation.
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-09-04 CVE Reserved
- 2022-03-18 CVE Published
- 2024-08-04 CVE Updated
- 2024-11-05 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-23: Relative Path Traversal
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01 | Third Party Advisory | |
| https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04 | 2022-04-04 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Schneider-electric Search vendor "Schneider-electric" | Easergy T300 Firmware Search vendor "Schneider-electric" for product "Easergy T300 Firmware" | <= 2.7.1 Search vendor "Schneider-electric" for product "Easergy T300 Firmware" and version " <= 2.7.1" | - |
Affected
| in | Schneider-electric Search vendor "Schneider-electric" | Easergy T300 Search vendor "Schneider-electric" for product "Easergy T300" | - | - |
Safe
|
| Schneider-electric Search vendor "Schneider-electric" | Easergy C5 Firmware Search vendor "Schneider-electric" for product "Easergy C5 Firmware" | < 1.1.0 Search vendor "Schneider-electric" for product "Easergy C5 Firmware" and version " < 1.1.0" | - |
Affected
| in | Schneider-electric Search vendor "Schneider-electric" | Easergy C5 Search vendor "Schneider-electric" for product "Easergy C5" | - | - |
Safe
|
| Schneider-electric Search vendor "Schneider-electric" | Micom C264 Firmware Search vendor "Schneider-electric" for product "Micom C264 Firmware" | < d6.1 Search vendor "Schneider-electric" for product "Micom C264 Firmware" and version " < d6.1" | - |
Affected
| in | Schneider-electric Search vendor "Schneider-electric" | Micom C264 Search vendor "Schneider-electric" for product "Micom C264" | - | - |
Safe
|
| Schneider-electric Search vendor "Schneider-electric" | Pacis Gtw Firmware Search vendor "Schneider-electric" for product "Pacis Gtw Firmware" | 5.1 Search vendor "Schneider-electric" for product "Pacis Gtw Firmware" and version "5.1" | windows |
Affected
| in | Schneider-electric Search vendor "Schneider-electric" | Pacis Gtw Search vendor "Schneider-electric" for product "Pacis Gtw" | - | - |
Safe
|
| Schneider-electric Search vendor "Schneider-electric" | Pacis Gtw Firmware Search vendor "Schneider-electric" for product "Pacis Gtw Firmware" | 5.2 Search vendor "Schneider-electric" for product "Pacis Gtw Firmware" and version "5.2" | windows |
Affected
| in | Schneider-electric Search vendor "Schneider-electric" | Pacis Gtw Search vendor "Schneider-electric" for product "Pacis Gtw" | - | - |
Safe
|
| Schneider-electric Search vendor "Schneider-electric" | Pacis Gtw Firmware Search vendor "Schneider-electric" for product "Pacis Gtw Firmware" | 6.1 Search vendor "Schneider-electric" for product "Pacis Gtw Firmware" and version "6.1" | windows |
Affected
| in | Schneider-electric Search vendor "Schneider-electric" | Pacis Gtw Search vendor "Schneider-electric" for product "Pacis Gtw" | - | - |
Safe
|
| Schneider-electric Search vendor "Schneider-electric" | Pacis Gtw Firmware Search vendor "Schneider-electric" for product "Pacis Gtw Firmware" | 6.3 Search vendor "Schneider-electric" for product "Pacis Gtw Firmware" and version "6.3" | linux |
Affected
| in | Schneider-electric Search vendor "Schneider-electric" | Pacis Gtw Search vendor "Schneider-electric" for product "Pacis Gtw" | - | - |
Safe
|
| Schneider-electric Search vendor "Schneider-electric" | Pacis Gtw Firmware Search vendor "Schneider-electric" for product "Pacis Gtw Firmware" | 6.3 Search vendor "Schneider-electric" for product "Pacis Gtw Firmware" and version "6.3" | windows |
Affected
| in | Schneider-electric Search vendor "Schneider-electric" | Pacis Gtw Search vendor "Schneider-electric" for product "Pacis Gtw" | - | - |
Safe
|
| Schneider-electric Search vendor "Schneider-electric" | Saitel Dp Firmware Search vendor "Schneider-electric" for product "Saitel Dp Firmware" | <= 11.06.21 Search vendor "Schneider-electric" for product "Saitel Dp Firmware" and version " <= 11.06.21" | - |
Affected
| in | Schneider-electric Search vendor "Schneider-electric" | Saitel Dp Search vendor "Schneider-electric" for product "Saitel Dp" | - | - |
Safe
|
| Schneider-electric Search vendor "Schneider-electric" | Epas Gtw Firmware Search vendor "Schneider-electric" for product "Epas Gtw Firmware" | 6.4 Search vendor "Schneider-electric" for product "Epas Gtw Firmware" and version "6.4" | linux |
Affected
| in | Schneider-electric Search vendor "Schneider-electric" | Epas Gtw Search vendor "Schneider-electric" for product "Epas Gtw" | - | - |
Safe
|
| Schneider-electric Search vendor "Schneider-electric" | Epas Gtw Firmware Search vendor "Schneider-electric" for product "Epas Gtw Firmware" | 6.4 Search vendor "Schneider-electric" for product "Epas Gtw Firmware" and version "6.4" | windows |
Affected
| in | Schneider-electric Search vendor "Schneider-electric" | Epas Gtw Search vendor "Schneider-electric" for product "Epas Gtw" | - | - |
Safe
|
| Schneider-electric Search vendor "Schneider-electric" | Saitel Dr Firmware Search vendor "Schneider-electric" for product "Saitel Dr Firmware" | <= 11.06.12 Search vendor "Schneider-electric" for product "Saitel Dr Firmware" and version " <= 11.06.12" | - |
Affected
| in | Schneider-electric Search vendor "Schneider-electric" | Saitel Dr Search vendor "Schneider-electric" for product "Saitel Dr" | - | - |
Safe
|
| Schneider-electric Search vendor "Schneider-electric" | Scd2200 Firmware Search vendor "Schneider-electric" for product "Scd2200 Firmware" | <= 10024 Search vendor "Schneider-electric" for product "Scd2200 Firmware" and version " <= 10024" | - |
Affected
| in | Schneider-electric Search vendor "Schneider-electric" | Cp-3 Search vendor "Schneider-electric" for product "Cp-3" | - | - |
Safe
|
| Schneider-electric Search vendor "Schneider-electric" | Scd2200 Firmware Search vendor "Schneider-electric" for product "Scd2200 Firmware" | <= 10024 Search vendor "Schneider-electric" for product "Scd2200 Firmware" and version " <= 10024" | - |
Affected
| in | Schneider-electric Search vendor "Schneider-electric" | Mc-31 Search vendor "Schneider-electric" for product "Mc-31" | - | - |
Safe
|
| Rockwellautomation Search vendor "Rockwellautomation" | Micro810 Firmware Search vendor "Rockwellautomation" for product "Micro810 Firmware" | - | - |
Affected
| in | Rockwellautomation Search vendor "Rockwellautomation" | Micro810 Search vendor "Rockwellautomation" for product "Micro810" | - | - |
Safe
|
| Rockwellautomation Search vendor "Rockwellautomation" | Micro820 Firmware Search vendor "Rockwellautomation" for product "Micro820 Firmware" | - | - |
Affected
| in | Rockwellautomation Search vendor "Rockwellautomation" | Micro820 Search vendor "Rockwellautomation" for product "Micro820" | - | - |
Safe
|
| Rockwellautomation Search vendor "Rockwellautomation" | Micro830 Firmware Search vendor "Rockwellautomation" for product "Micro830 Firmware" | - | - |
Affected
| in | Rockwellautomation Search vendor "Rockwellautomation" | Micro830 Search vendor "Rockwellautomation" for product "Micro830" | - | - |
Safe
|
| Rockwellautomation Search vendor "Rockwellautomation" | Micro850 Firmware Search vendor "Rockwellautomation" for product "Micro850 Firmware" | - | - |
Affected
| in | Rockwellautomation Search vendor "Rockwellautomation" | Micro850 Search vendor "Rockwellautomation" for product "Micro850" | - | - |
Safe
|
| Rockwellautomation Search vendor "Rockwellautomation" | Micro870 Firmware Search vendor "Rockwellautomation" for product "Micro870 Firmware" | - | - |
Affected
| in | Rockwellautomation Search vendor "Rockwellautomation" | Micro870 Search vendor "Rockwellautomation" for product "Micro870" | - | - |
Safe
|
| Rockwellautomation Search vendor "Rockwellautomation" | Aadvance Controller Search vendor "Rockwellautomation" for product "Aadvance Controller" | <= 1.40 Search vendor "Rockwellautomation" for product "Aadvance Controller" and version " <= 1.40" | - |
Affected
| ||||||
| Rockwellautomation Search vendor "Rockwellautomation" | Isagraf Free Runtime Search vendor "Rockwellautomation" for product "Isagraf Free Runtime" | <= 6.6.8 Search vendor "Rockwellautomation" for product "Isagraf Free Runtime" and version " <= 6.6.8" | isagraf6_workbench |
Affected
| ||||||
| Rockwellautomation Search vendor "Rockwellautomation" | Isagraf Runtime Search vendor "Rockwellautomation" for product "Isagraf Runtime" | >= 5.0 < 6.0 Search vendor "Rockwellautomation" for product "Isagraf Runtime" and version " >= 5.0 < 6.0" | - |
Affected
| ||||||
| Xylem Search vendor "Xylem" | Multismart Firmware Search vendor "Xylem" for product "Multismart Firmware" | < 3.2.0 Search vendor "Xylem" for product "Multismart Firmware" and version " < 3.2.0" | - |
Affected
| ||||||