CVE-2017-7574

Name of the Vulnerable Software and Affected Versions Schneider Electric SoMachine Basic version 1.4 SP1 Schneider Electric Modicon TM221CE16R version 1.3.3.3

Description The issue concerns a hardcoded-key vulnerability in the Project Protection feature, which is used to prevent unauthorized access to XML protected project files by prompting for a password. The XML file is encrypted using AES-CBC, but the encryption key, SoMachineBasicSoMachineBasicSoMa, is hardcoded and cannot be changed. An attacker can decrypt the XML file using this key, obtain the user password from the decrypted data, and then open and modify the project using the affected product.

Recommendations For Schneider Electric SoMachine Basic version 1.4 SP1, consider disabling the Project Protection feature until a patch is available. For Schneider Electric Modicon TM221CE16R version 1.3.3.3, restrict access to the project files to minimize the risk of exploitation. As a temporary workaround, avoid using the Project Protection feature with the hardcoded key until the issue is resolved.