RCE in Schneider Electric Struxureware Data Center Expert
CVE-2023-37199
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored.
Vulnerability class: RCE (Remote Code Execution)
EPSS: 0.008 (50.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.8 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H.
Affected products
- Schneider Electric Struxureware Data Center Expert — versions v7.9.3 and earlier
- Schneider-electric Struxureware_data_center_expert
Weakness classification (CWE)
References
- cybersecurity@se.com (Vendor Advisory)
Frequently asked questions
- What is CVE-2023-37199?
- CVE-2023-37199 is a medium-severity vulnerability in Schneider Electric Struxureware Data Center Expert, classified under Code Injection. CVSS score: 6.8/10. Published 2023-07-12.
- How severe is CVE-2023-37199?
- Medium severity. CVSS v3 base score is 6.8 out of 10.