Schneider Electric is aware of vulnerability in the Modbus Serial Driver Component, reported Schneider Electric in her website.
Schneider Electric Modbus Serial Driver is used by Schneider Electric products to communicate
with devices using the Modbus Serial protocol.
The version below is affected:
• Schneider Electric Modbus Serial Driver (64 bits) versions prior to V3.20 IE 30.
• Schneider Electric Modbus Serial Driver (32 bits) versions prior to V2.20 IE 30.
• Schneider Electric Modbus Driver Suite versions prior to V14.15.0.0.
The Modbus Serial Driver is used by the following products*:
• Ecostruxure Control Expert (formerly known as Unity Pro)
• Unity Loader
• EcoStruxure Process Expert (formerly known as Hybrid DCS)
• EcoStruxure OPC UA Server Expert
• OPC Factory Server
• Advantys Configuration Software
• Modbus Communications DTM (Field Devices)
• SoMove
• Ecostruxure Machine Expert (formerly known as SoMachine)
• Ecostruxure Machine Expert Basic
• Harmony® eXLhoist
• EcoStruxure Power Commission
CVE-2020-7523 Improper Privilege Management vulnerability exists which could cause local privilege escalation when the Modbus Serial Driver service is invoked.
“The driver does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.”, says Schneider in her reports.
Schneider advice her users to update the new patches in this link to make the job more secure.
For more secure and hardening the product you can find instruction here.