Published: 18/09/2015 Updated: 02/02/2022

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Schneider Electric StruxureWare Building Expert MPM prior to 2.15 does not use encryption for the client-server data stream, which allows remote malicious users to discover credentials by sniffing the network.

Vulnerable Product	Search on Vulmon	Subscribe to Product
schneider-electric struxureware building expert multi-purpose management

Schneider patches yet ANOTHER dumb vuln

The Register • Team Register • 17 Sep 2015

Smart buildings, dumb vulns, does it ever change?

Schneider Electric has pushed out a patch to an industrial control system which – stop me if you've heard this before – passes credentials between client and server in plain text. CVE-2015-3962 applies to the company's Struxureware Building Expert, prior to version 2.15, and the company has released an update to the system (outlined in its advisory, PDF here). The vulnerable system handles air-conditioning, lighting, and metering. The ICS-CERT advisory accompanying the vuln says it hasn't be...

CVE-2015-3962

Vulnerability Summary

Recent Articles

References

Vulmon Search

About

Products

Connect