| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <PAXP190MB164702353A60A15194654C9EFE1DA@PAXP190MB1647.EURP190.PROD.OUTLOOK.COM>
Date: Tue, 23 Sep 2025 11:55:36 +0000
From: Thomas Weber | CyberDanube via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CyberDanube Security Research 20250909-0 | Cross-Site
Scripting in Schneider ATV 630
CyberDanube Security Research 20250909-0
-------------------------------------------------------------------------------
title| Reflected XSS
product| ATV 630
vulnerable version| "see Vulnerable versions"
fixed version| none
CVE number| CVE-2025-7746
impact| Medium
homepage| https://www.se.com/
found| 2025-03-11
by| T. Weber (Office Vienna)
| D. Blagojevic
| CyberDanube Security Research
| Vienna | St. Pölten
|
| https://www.cyberdanube.com
-------------------------------------------------------------------------------
Vendor description
-------------------------------------------------------------------------------
"Schneider’s purpose is to create Impact by empowering all to make the most of
our energy and resources, bridging progress and sustainability. At Schneider,
we call this Life Is On.
Our mission is to be the trusted partner in Sustainability and Efficiency.
[...]"
Source: https://www.se.com/ww/en/about-us/company-profile/
Vulnerable versions
-------------------------------------------------------------------------------
ATV630:
app V3.4IE35
eth V1.FIE26
cpld V0.0IE16
pwr V1.3IE08
mc V3.4IE35
product v3.4IE35
See also the security notification from Schneider Electric:
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-252-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-252-01.pdf
Vulnerability overview
-------------------------------------------------------------------------------
1) Reflected Cross-Site Scripting (CVE-2025-7746)
A Reflected Cross-Site Scripting vulnerability was identified in the web
interface of the device. The ClientNonce parameter can be abused to inject
JavaScript code. An attacker can exploit this vulnerability by luring a victim
to visit a malicious website. Furthermore, it is possible to hijack the session
of the attacked user.
Proof of Concept
-------------------------------------------------------------------------------
1) Stored Cross-Site Scripting (CVE-2025-7746)
During the logon process a ClientNonce can be specified to trigger a cross-site
scripting vulnerability. The following response to the server contains script
code to demonstrate this problem:
-------------------------------------------------------------------------------
GET /<redacted-patch-is-missing> HTTP/1.1
Host: 172.21.241.60
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Origin: http://172.21.241.60
Connection: close
Referer: http://172.21.241.60/
Cookie: 20c7ac82=1
-------------------------------------------------------------------------------
The webserver of the device responds without filtering the payload. Therefore,
the script code gets executed:
-------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Fri, 09 Jan 1970 22:53:45 GMT
Server: Document not found
Connection: Close
Content-Type: text/html; charset=utf-8
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Set-Cookie: z9ZAqJtI=93f19ed6000bcdf9; path=/
r="<redacted-patch-is-missing>5r3e4AVzTY+Fkc5aEaga5CRsIC8eOUUux/Al36Ffr7U=,s=4fcb2dd77ee4bc4e1d9066e371c2034d1b55e07d28b9474e692c3f3531992b17,i=4096
-------------------------------------------------------------------------------
This vulnerability can be triggered via GET and POST requests.
Solution
-------------------------------------------------------------------------------
None. A firmware update will be published by Schneider Electric.
Workaround
-------------------------------------------------------------------------------
Restrict network access to management interface.
Recommendation
-------------------------------------------------------------------------------
A full security review is recommended by CyberDanube.
Contact Timeline
-------------------------------------------------------------------------------
2025-03-11: Contacting Schneider Electric PSIRT and sent advisory via PGP.
2025-03-12: Received case tracking number from Schneider Electric PSIRT.
2025-04-10: Asking for an update.
2025-04-14: Vendor confirmed the vulnerability.
2025-05-21: Asking for an update.
2025-05-22: Vendor targets to publish an update on 9th of September. Set
disclosure date to 2025-09-09.
2025-06-23: Asking for an update; Vendor responded that they will notify us if
an ealier publication is planned.
2025-09-02: PSIRT informed us that the patch cannot be delivered on 9th of
September. Re-send advisory to sync about published information.
2025-09-04: Redacted XSS PoC code in the advisory has been redacted upon
request from PSIRT.
2025-09-09: Coordinated release of security advisory.
Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com
EOF T. Weber / @2025
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists