CVE-2021-22785

Name of the Vulnerable Software and Affected Versions Modicon M340 CPUs versions prior to V3.40 Modicon M340 X80 Ethernet Communication Modules: BMXNOE0100 (H), BMXNOE0110 (H), BMXNOC0401, BMXNOR0200H RTU (All Versions) Modicon Premium Processors with integrated Ethernet (Copro): TSXP574634, TSXP575634, TSXP576634 (All Versions) Modicon Quantum Processors with Integrated Ethernet (Copro): 140CPU65xxxxx (All Versions) Modicon Quantum Communication Modules: 140NOE771x1, 140NOC78x00, 140NOC77101 (All Versions) Modicon Premium Communication Modules: TSXETY4103, TSXETY5103 (All Versions)

Description A CWE-200: Information Exposure issue exists, potentially causing sensitive information of files in the web root directory to leak when an attacker sends a HTTP request to the device's web server. This could allow a remote attacker to gain unauthorized access to protected information by sending specially crafted HTTP requests.

Recommendations For Modicon M340 CPUs versions prior to V3.40, update to version V3.40 or later. For Modicon M340 X80 Ethernet Communication Modules, restrict access to the web server until a patch is available. For Modicon Premium Processors with integrated Ethernet (Copro), disable the web server functionality until an update is applied. For Modicon Quantum Processors with Integrated Ethernet (Copro), limit access to the device's web interface. For Modicon Quantum Communication Modules and Modicon Premium Communication Modules, avoid using the affected modules until a fix is provided. As a temporary workaround, consider disabling the web server on all affected devices until a patch is available.