Vulnerability Spotlight: Remote code execution vulnerabilities in Schneider Electric EcoStruxure

Vulnerability Spotlight: Remote code execution vulnerabilities in Schneider Electric EcoStruxure


Alexander Perez-Palma and Jared Rittle of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.


Cisco Talos recently discovered two code execution vulnerabilities in Schneider Electric EcoStruxure. An attacker could exploit these vulnerabilities by sending the victim a specially crafted network request or project archive. coStruxure Control Expert (formerly UnityPro) is Schneider Electric's flagship software for program development, maintenance, and monitoring of industrial networks.


In accordance with our coordinated disclosure policy, Cisco Talos worked with Schneider to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details


Schneider Electric EcoStruxure Control Expert PLC Simulator Modbus message processing remote code execution vulnerability (TALOS-2020-1140/CVE-2020-7559)


A code execution vulnerability exists in the Modbus message-processing functionality of Schneider Electric EcoStruxure Control Expert PLC Simulator 14.1. A specially crafted network request can lead to remote code execution. An attacker can send a large Modbus request to trigger this vulnerability.


Read the complete vulnerability advisory here for additional information. 


Schneider Electric EcoStruxure Control Expert PLC Simulator Modbus message processing remote code execution vulnerability (TALOS-2020-1144/CVE-2020-7560)


A local code execution vulnerability exists in the APX project file processing functionality of Schneider Electric EcoStruxure Control Expert 14.1. The opening of a STA project ..

Support the originator by clicking the read the rest link below.