Directory traversal vulnerability in SchneiderWEB on Schneider Electric Modicon PLC Ethernet modules 140CPU65x Exec before 5.5, 140NOC78x Exec before 1.62, 140NOE77x Exec before 6.2, BMXNOC0401 before 2.05, BMXNOE0100 before 2.9, BMXNOE0110x Exec before 6.0, TSXETC101 Exec before 2.04, TSXETY4103x Exec before 5.7, TSXETY5103x Exec before 5.9, TSXP57x ETYPort Exec before 5.7, and TSXP57x Ethernet Copro Exec before 5.5 allows remote attackers to visit arbitrary resources via a crafted HTTP request.
Fixes

Solution

Please see Schneider Electric’s vulnerability disclosure (SEVD-2014-260-01)Schneider Electric Vulnerability Disclosure – Modicon Ethernet Comm Modules - SEVD-2014-260-01 - http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2014-260-01 . for more detailed information on which product part numbers are affected, as well as the complete list of which devices have released firmware updates available. This vulnerability disclosure can be downloaded at the following URL:  http://www.schneider-electric.com/ww/en/download/


Workaround

Search downloads for SEVD-14-260-01, then keyword SEVD-14-260-01 to download the vulnerability disclosure. This URL site can also be used to download firmware updates identified in the vulnerability disclosure. Schneider Electric also recommends the following measures to mitigate the vulnerability for the remaining affected devices: * Use a deep packet inspection firewall to prevent HTTP requests to the product that contains traversals in the URL. * Disable Port 80 (HTTP) on modules where it is possible. * Block Port 80 in firewalls to these devices, except for trusted devices. Please contact Schneider Electric Customer Care Center for more information.

History

Tue, 26 Aug 2025 00:00:00 +0000


cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2025-08-25T23:45:03.684Z

Reserved: 2014-01-02T00:00:00

Link: CVE-2014-0754

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2014-10-03T18:55:06.017

Modified: 2025-08-26T00:15:30.757

Link: CVE-2014-0754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.