CVE-2016-2278

Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh (aka Minimal Shell) protection mechanism.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
schneider-electricstruxureware_building_operations_automation_server_as_firmware
𝑥
≤ 1.7
schneider-electricstruxureware_building_operations_automation_server_as-p_firmware
1.7
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-025-01
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01
https://www.exploit-db.com/exploits/39522/
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2016-025-01
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01
https://www.exploit-db.com/exploits/39522/