1. EXECUTIVE SUMMARY
- CVSS v4 5.4
- ATTENTION: Low attack complexity
- Vendor: Schneider Electric
- Equipment: Trio Q Licensed Data Radio
- Vulnerabilities: Insecure Storage of Sensitive Information, Initialization of a Resource with an Insecure Default
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to access confidential information, compromise the integrity, or affect the availability of the affected product.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
- Schneider Electric Trio Q Licensed Data Radio: Versions prior to 2.7.2
3.2 VULNERABILITY OVERVIEW
3.2.1 INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922
An insecure storage of sensitive information vulnerability exists that could potentially lead to unauthorized access to confidential data when a malicious user with physical access and advanced knowledge of the filesystem sets the radio to factory default mode.
CVE-2025-2440 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-2440. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.2
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from All CISA Advisories
Read the original article:
Read the original article: