CVE-2022-37300

A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34*) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*) (V3.20 and prior).

Published: 2022-09-12 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2022-37300 is rated Moderate Risk (55.7/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.67%). Mandatory action: Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2022-37300

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.57% 0.67% +0.10%
2 2025-10-14 0.52% 0.57% +0.06%
3 2025-09-14 0.52%

Full EPSS history (11 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2022-37300

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.8 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
3.9 5.9 [email protected]
9.8 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
3.9 5.9 [email protected]

Weakness enumeration for CVE-2022-37300

Affected software / configurations for CVE-2022-37300

Vendor Product Version Raw CPE
schneider-electric ecostruxure_control_expert < 15.1 cpe:2.3:a:schneider-electric:ecostruxure_control_expert:*:*:*:*:*:*:*:*
schneider-electric ecostruxure_process_expert <= 2021 cpe:2.3:a:schneider-electric:ecostruxure_process_expert:*:*:*:*:*:*:*:*
schneider-electric modicon_m340_bmxp341000_firmware < 3.50 cpe:2.3:o:schneider-electric:modicon_m340_bmxp341000_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m340_bmxp342000_firmware < 3.50 cpe:2.3:o:schneider-electric:modicon_m340_bmxp342000_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m340_bmxp342010_firmware < 3.50 cpe:2.3:o:schneider-electric:modicon_m340_bmxp342010_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m340_bmxp3420102_firmware < 3.50 cpe:2.3:o:schneider-electric:modicon_m340_bmxp3420102_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m340_bmxp342020_firmware < 3.50 cpe:2.3:o:schneider-electric:modicon_m340_bmxp342020_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m340_bmxp342020h_firmware < 3.50 cpe:2.3:o:schneider-electric:modicon_m340_bmxp342020h_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m340_bmxp342030_firmware < 3.50 cpe:2.3:o:schneider-electric:modicon_m340_bmxp342030_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m340_bmxp3420302_firmware < 3.50 cpe:2.3:o:schneider-electric:modicon_m340_bmxp3420302_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m340_bmxp3420302h_firmware < 3.50 cpe:2.3:o:schneider-electric:modicon_m340_bmxp3420302h_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m340_bmxp342030h_firmware < 3.50 cpe:2.3:o:schneider-electric:modicon_m340_bmxp342030h_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmeh582040_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmeh582040_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmeh582040c_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmeh582040c_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmeh582040s_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmeh582040s_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmeh584040_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmeh584040_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmeh584040c_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmeh584040c_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmeh584040s_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmeh584040s_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmeh586040_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmeh586040_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmeh586040c_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmeh586040c_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmeh586040s_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmeh586040s_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep581020_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep581020_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep581020h_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep581020h_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep582020_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep582020_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep582020h_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep582020h_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep582040_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep582040_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep582040h_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep582040h_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep583020_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep583020_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep583040_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep583040_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep584020_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep584020_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep584040_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep584040_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep584040s_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep584040s_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep585040_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep585040_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep585040c_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep585040c_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep586040_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep586040_firmware:*:*:*:*:*:*:*:*
schneider-electric modicon_m580_bmep586040c_firmware < 4.02 cpe:2.3:o:schneider-electric:modicon_m580_bmep586040c_firmware:*:*:*:*:*:*:*:*

References for CVE-2022-37300

cvelogic Threat Intelligence