CVE-2018-7836

Name of the Vulnerable Software and Affected Versions Schneider Electric IIoT Monitor version 3.1.38

Description The issue is related to the lack of restrictions on file uploads, allowing a remote attacker to upload and execute malicious files that can be automatically processed within the product environment. This can lead to remote code execution. The vulnerability affects various methods of the IIoT Monitor software, including upload functionalities in DeviceMapMgmt, RecoveryMgmt, ProtectionMgmt, SettingMgmt, and UpgradeMgmt.

Recommendations For version 3.1.38, consider restricting or disabling the file upload functionality until a patch is available to prevent potential exploitation. Additionally, restrict access to the vulnerable upload endpoints, such as those in DeviceMapMgmt, RecoveryMgmt, ProtectionMgmt, SettingMgmt, and UpgradeMgmt, to minimize the risk of remote code execution. Avoid using the upload feature in these modules until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.