CVE-2024-6596

Summary

An unauthenticated remote attacker can run malicious c# code included in curve files and execute commands in the users context.

Affected Software

VendorProductVersion RangeStatus
Endress+HauserEcho Curve Viewer0 <= 5.2.2.6affected
Endress+HauserFieldCare SFE500 Package USB0 <= V1.40.00.7448affected
Endress+HauserFieldCare SFE500 Package Web-Package0 <= V1.40.00.7448affected
Endress+HauserField Xpert SMT500 <= SMT50_Win10_LTSC_21H2_v1.07.00_RC02_03affected
Endress+HauserField Xpert SMT700 <= SMT70_Win10_LTSC_21H2_v1.07.00_RC02_01affected
Endress+HauserField Xpert SMT770 <= SMT77_Win10_SAC_22H2_v1.08.04_RC03_02affected
Endress+HauserField Xpert SMT790 <= V1.08.02-1.8.8684.34292affected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References