Vulnerability Key Information Vulnerability Overview Discoverers: Positive Technologies Research Team (Timur Yunusov, Ilya Karpov, Sergey Gordeychik, Alexey Osipov, Dmitry Serebryannikov) Affected Products: Multiple versions of Schneider Electric Wonderware Information Server (WIS) Vulnerability Types: - Insufficient Encryption Strength (CWE-326) - Cross-Site Scripting (XSS) (CWE-79) - Improper Input Validation (CWE-20) - SQL Injection (CWE-89) Impact Remote Code Execution Information Disclosure Session Hijacking Impact varies based on organizational factors, including operational environment, architecture, and product implementation Vulnerability Details CVE-2014-2381NVD: Insufficient encryption strength, CVSS v2 base score 2.1 (local access) CVE-2014-2380NVD: Cross-site scripting, CVSS v2 base score 7.8 (network access) CVE-2014-5397NVD: Improper input validation, CVSS v2 base score 7.5 (local access) CVE-2014-5398NVD: SQL injection, CVSS v2 base score 2.1 (local access) CVE-2014-5399NVD: SQL injection, CVSS v2 base score 7.5 (network access) Exploitation Some vulnerabilities can be exploited remotely Improper input validation vulnerability requires user interaction Mitigation Measures Schneider Electric has released security updates Recommended to upgrade to WIS version 5.5 and apply patches Set browser security level to "Medium - High" Use HTTPS Minimize network exposure Place control system networks and remote devices behind firewalls