CVE-2022-45788

Name of the Vulnerable Software and Affected Versions EcoStruxure Control Expert (All Versions) EcoStruxure Process Expert (All Versions) Modicon M340 CPU - part numbers BMXP34* (All Versions) Modicon M580 CPU - part numbers BMEP* and BMEH* (All Versions) Modicon M580 CPU Safety - part numbers BMEP58S and BMEH58S (All Versions) Modicon Momentum Unity M1E Processor - 171CBU* (All Versions) Modicon MC80 - BMKC80 (All Versions) Legacy Modicon Quantum - 140CPU65* and Premium CPUs - TSXP57* (All Versions)

Description A vulnerability exists that could cause arbitrary code execution, denial of service, and loss of confidentiality and integrity when a malicious project file is loaded onto the controller. This issue is related to an improper check for unusual or exceptional conditions. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code or cause a denial of service using a specially crafted malicious file.

Recommendations For all affected versions, consider disabling the loading of project files from untrusted sources until a patch is available. Restrict access to the controller to minimize the risk of exploitation. Avoid using the controller with untrusted project files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.