CVE-2017-14020

Summary

CVECVE-2017-14020
StatePUBLISHED
Assignericscert
Source PriorityCVE Program / NVD first with legacy fallback
Published2017-11-13 20:29:00 UTC
Updated2025-04-20 01:37:25 UTC
DescriptionIn AutomationDirect CLICK Programming Software (Part Number C0-PGMSW) Versions 2.10 and prior; C-More Programming Software (Part Number EA9-PGMSW) Versions 6.30 and prior; C-More Micro (Part Number EA-PGMSW) Versions 4.20.01.0 and prior; Do-more Designer Software (Part Number DM-PGMSW) Versions 2.0.3 and prior; GS Drives Configuration Software (Part Number GSOFT) Versions 4.0.6 and prior; SL-SOFT SOLO Temperature Controller Configuration Software (Part Number SL-SOFT) Versions 1.1.0.5 and prior; and DirectSOFT Programming Software Versions 6.1 and prior, an uncontrolled search path element (DLL Hijacking) vulnerability has been identified. To exploit this vulnerability, an attacker could rename a malicious DLL to meet the criteria of the application, and the application would not verify that the DLL is correct. Once loaded by the application, the DLL could run malicious code at the privilege level of the application.

Risk And Classification

Primary CVSS: v3.0 7.8 HIGH from [email protected]

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS: 0.001270000 probability, percentile 0.316050000 (date 2026-05-13)

Problem Types: CWE-427 | CWE-427 UNCONTROLLED SEARCH PATH ELEMENT CWE-427


VersionSourceTypeScoreSeverityVector
3.0[email protected]Primary7.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
2.0[email protected]Primary9.3AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3.0 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2.0 Breakdown

Access Vector
Network
Access Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Hardware Automationdirect C-more Micro - All All All
Operating System Automationdirect C-more Micro Firmware All All All All
Hardware Automationdirect C-more Plc - All All All
Operating System Automationdirect C-more Plc Firmware All All All All
Hardware Automationdirect Click Plc - All All All
Operating System Automationdirect Click Plc Firmware All All All All
Hardware Automationdirect Gs Drives - All All All
Operating System Automationdirect Gs Drives Fimware All All All All
Hardware Automationdirect Sl-soft Solo Temperature Controller - All All All
Operating System Automationdirect Sl-soft Solo Temperature Controller Firmware All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA AutomationDirect CLICK Programming Software Part Number C0-PGMSW affected 2.10 and prior Not specified
CNA AutomationDirect C-More Programming Software Part Number EA9-PGMSW affected 6.30 and prior Not specified
CNA AutomationDirect C-More Micro Part Number EA-PGMSW affected 4.20.01.0 and prior Not specified
CNA AutomationDirect Do-more Designer Software Part Number DM-PGMSW affected 2.0.3 and prior Not specified
CNA AutomationDirect GS Drives Configuration Software Part Number GSOFT affected 4.0.6 and prior Not specified
CNA AutomationDirect SL-SOFT SOLO Temperature Controller Configuration Software Part Number SL-SOFT affected 1.1.0.5 and prior Not specified
CNA AutomationDirect DirectSOFT Programming Software affected 6.1 and prior Not specified

References

ReferenceSourceLinkTags
Multiple AutomationDirect Products CVE-2017-1402 DLL Loading Local Code Execution Vulnerability af854a3a-2127-422b-91ae-364da2661108 www.securityfocus.com Third Party Advisory, VDB Entry
ICS-CERT Advisories | ICS-CERT af854a3a-2127-422b-91ae-364da2661108 ics-cert.us-cert.gov Issue Tracking, Mitigation, Third Party Advisory, US Government Resource
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

© CVE.report 2026

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report