CVE-2021-22779

9.1 CRITICAL

Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all vers...

Published: 2021-07-14 · Last updated: 2026-05-29

Severity and scoring

CVSS: 9.1 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-290

Affected products

Vendor	Product
schneider-electric	ecostruxure_control_expert, ecostruxure_process_expert, modicon_m340_bmxp341000_firmware

Description

Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), SCADAPack RemoteConnect for x70 (all versions), Modicon M580 CPU (all versions - part numbers BMEP* and BMEH*), Modicon M340 CPU (all versions - part numbers BMXP34*), that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-22779
[Vendor advisory]http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-01
[Vendor advisory]http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-194-01

Related CVEs

Same vendor

CVE-2026-6332 — CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information whic... (7.5 HIGH)
CVE-2022-0715 — A CWE-287: Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS when a... (9.1 CRITICAL)
CVE-2021-22788 — A CWE-787: Out-of-bounds Write vulnerability exists that could cause denial of service when an attacker sends a specially crafted HTTP re... (7.5 HIGH)
CVE-2021-22787 — A CWE-20: Improper Input Validation vulnerability exists that could cause denial of service of the device when an attacker sends a specia... (7.5 HIGH)
CVE-2021-22785 — A CWE-200: Information Exposure vulnerability exists that could cause sensitive information of files located in the web root directory to... (7.5 HIGH)

Same CWE

CVE-2026-53833 — OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders... (7.7 HIGH)
CVE-2026-53832 — OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy id... (7.7 HIGH)
CVE-2026-53823 — OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names (8.1 HIGH)
CVE-2026-5792 — Authentication bypass by spoofing vulnerability in Hedef Media Promotion Interactive Media Marketing Inc (6.5 MEDIUM)
CVE-2026-53817 — OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to... (8.8 HIGH)