SEW-EURODRIVE recently disclosed a significant security vulnerability in its MOVITOOLS MotionStudio software, specifically affecting version 6.5.0.2. The vulnerability, categorized under CVE-2024-1167, involves improper restriction of XML External Entity (XXE) references which can lead to unrestricted file access when XML data is processed by the software. This flaw has been assigned a CVSS v3.1 base score of 5.5 and a CVSS v4 score of 5.6, indicating a medium level of severity with low attack complexity and no privileges required for exploitation.
The vulnerability was identified and reported by a researcher named Esjay, who is associated with the Trend Micro Zero Day Initiative. This indicates that the flaw was discovered in a responsible manner, allowing SEW-EURODRIVE to address the issue before it could be exploited maliciously. The company, headquartered in Germany and operating worldwide, has taken this security flaw seriously given the potential risks to critical infrastructure sectors that use their software.
In response to the discovery of this vulnerability, SEW-EURODRIVE has issued recommendations for mitigating potential risks associated with the flaw. They advise users to create a firewall rule that blocks outgoing TCP connections for the application “SEWManager.exe” to prevent any unauthorized data exfiltration or other malicious activities. Additionally, the company has recommended that all users update their software to MOVITOOLS MotionStudio version 6.70 as soon as it becomes available, to ensure protection against this security loophole.
