{"api_version":"1","generated_at":"2026-05-13T04:36:28+00:00","cve":"CVE-2014-9188","urls":{"html":"https://cve.report/CVE-2014-9188","api":"https://cve.report/api/cve/CVE-2014-9188.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2014-9188","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2014-9188"},"summary":{"title":"Schneider Electric ProClima Command Injection","description":"Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8513 and CVE-2014-8514.  NOTE: this may be clarified later based on details provided by researchers.","state":"PUBLISHED","assigner":"icscert","published_at":"2014-12-27 15:59:04","updated_at":"2026-05-06 22:30:45"},"problem_types":["CWE-77","CWE-119","CWE-77 CWE-77"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"9","severity":"","vector":"AV:N/AC:L/Au:N/C:C/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:P/A:P","baseScore":9,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}},{"version":"2.0","source":"ics-cert@hq.dhs.gov","type":"Secondary","score":"10","severity":"","vector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","baseScore":10,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"}},{"version":"2.0","source":"CNA","type":"CVSS","score":"10","severity":"","vector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","data":{"accessComplexity":"LOW","accessVector":"NETWORK","authentication":"NONE","availabilityImpact":"COMPLETE","baseScore":10,"confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","version":"2.0"}}],"references":[{"url":"http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-344-01","name":"http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-344-01","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Vendor Advisory"],"title":"","mime":"application/pdf","httpstatus":"200","archivestatus":"401"},{"url":"https://ics-cert.us-cert.gov/advisories/ICSA-14-350-01","name":"https://ics-cert.us-cert.gov/advisories/ICSA-14-350-01","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory","US Government Resource"],"title":"Schneider Electric ProClima Command Injection Vulnerabilities | ICS-CERT","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-14-350-01","name":"https://www.cisa.gov/news-events/ics-advisories/icsa-14-350-01","refsource":"ics-cert@hq.dhs.gov","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2014-9188","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-9188","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Schneider Electric","product":"ProClima","version":"affected 6.0.1 custom","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Schneider Electric has released an updated version of the ProClima \nsoftware, Version 6.1.7, which mitigates these vulnerabilities. \nCustomers are encouraged to download the new version and update their \ninstallations. It is important that customers first uninstall the \ncurrent version. The new version can be downloaded from Schneider \nElectric’s web site at the following location:\n\n\n http://www.schneider-electric.com/ww/en/download/document/ProClima_software \n\n\nFor further information on these vulnerabilities, please see \nSchneider Electric’s security notification (SEVD 2014-344-01) at \nSchneider Electric’s cybersecurity web page:\n\n\n http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page%20","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"This vulnerability was reported to ZDI by security researchers Ariele Caltabiano, Andrea Micalizzi, and Brian Gorenc.","lang":"en"}],"nvd_cpes":[{"cve_year":"2014","cve_id":"9188","vulnerable":"1","versionEndIncluding":"6.0.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"schneider_electric","cpe5":"proclima","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T13:40:23.200Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-344-01"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://ics-cert.us-cert.gov/advisories/ICSA-14-350-01"}],"title":"CVE Program Container"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"ProClima","vendor":"Schneider Electric","versions":[{"lessThanOrEqual":"6.0.1","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"This vulnerability was reported to ZDI by security researchers Ariele Caltabiano, Andrea Micalizzi, and Brian Gorenc."}],"datePublic":"2014-12-10T07:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8513 and CVE-2014-8514.  NOTE: this may be clarified later based on details provided by researchers.</p>"}],"value":"Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8513 and CVE-2014-8514.  NOTE: this may be clarified later based on details provided by researchers."}],"metrics":[{"cvssV2_0":{"accessComplexity":"LOW","accessVector":"NETWORK","authentication":"NONE","availabilityImpact":"COMPLETE","baseScore":10,"confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","version":"2.0"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-77","description":"CWE-77","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-07-24T22:39:42.287Z","orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-344-01"},{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-14-350-01"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Schneider Electric has released an updated version of the ProClima \nsoftware, Version 6.1.7, which mitigates these vulnerabilities. \nCustomers are encouraged to download the new version and update their \ninstallations. It is important that customers first uninstall the \ncurrent version. The new version can be downloaded from Schneider \nElectric’s web site at the following location:</p>\n<p><a target=\"_blank\" rel=\"nofollow\" href=\"http://www.schneider-electric.com/ww/en/download/document/ProClima_software\">http://www.schneider-electric.com/ww/en/download/document/ProClima_software</a></p>\n<p>For further information on these vulnerabilities, please see \nSchneider Electric’s security notification (SEVD 2014-344-01) at \nSchneider Electric’s cybersecurity web page:</p>\n<p><a target=\"_blank\" rel=\"nofollow\" href=\"http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page%20\">http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page</a></p>\n\n<br>"}],"value":"Schneider Electric has released an updated version of the ProClima \nsoftware, Version 6.1.7, which mitigates these vulnerabilities. \nCustomers are encouraged to download the new version and update their \ninstallations. It is important that customers first uninstall the \ncurrent version. The new version can be downloaded from Schneider \nElectric’s web site at the following location:\n\n\n http://www.schneider-electric.com/ww/en/download/document/ProClima_software \n\n\nFor further information on these vulnerabilities, please see \nSchneider Electric’s security notification (SEVD 2014-344-01) at \nSchneider Electric’s cybersecurity web page:\n\n\n http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cyber-security-vulnerabilities-sorted.page%20"}],"source":{"advisory":"ICSA-14-350-01","discovery":"EXTERNAL"},"title":"Schneider Electric ProClima Command Injection","x_generator":{"engine":"Vulnogram 0.2.0"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"ics-cert@hq.dhs.gov","ID":"CVE-2014-9188","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8513 and CVE-2014-8514.  NOTE: this may be clarified later based on details provided by researchers."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-344-01","refsource":"CONFIRM","url":"http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-344-01"},{"name":"https://ics-cert.us-cert.gov/advisories/ICSA-14-350-01","refsource":"MISC","url":"https://ics-cert.us-cert.gov/advisories/ICSA-14-350-01"}]}}}},"cveMetadata":{"assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","assignerShortName":"icscert","cveId":"CVE-2014-9188","datePublished":"2014-12-27T15:00:00.000Z","dateReserved":"2014-12-02T00:00:00.000Z","dateUpdated":"2025-07-24T22:39:42.287Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2014-12-27 15:59:04","lastModifiedDate":"2026-05-06 22:30:45","problem_types":["CWE-77","CWE-119","CWE-77 CWE-77"],"metrics":{"cvssMetricV2":[{"source":"ics-cert@hq.dhs.gov","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","baseScore":10,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":10,"acInsufInfo":true,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:P/A:P","baseScore":9,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":8.5,"acInsufInfo":true,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:schneider_electric:proclima:*:*:*:*:*:*:*:*","versionEndIncluding":"6.0.1","matchCriteriaId":"47B0392E-5225-40CD-B1CB-8761B69A743E"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2014","CveId":"9188","Ordinal":"1","Title":"Schneider Electric ProClima Command Injection","CVE":"CVE-2014-9188","Year":"2014"},"notes":[{"CveYear":"2014","CveId":"9188","Ordinal":"1","NoteData":"Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8513 and CVE-2014-8514.  NOTE: this may be clarified later based on details provided by researchers.","Type":"Description","Title":"Schneider Electric ProClima Command Injection"},{"CveYear":"2014","CveId":"9188","Ordinal":"2","NoteData":"2014-12-27","Type":"Other","Title":"Published"},{"CveYear":"2014","CveId":"9188","Ordinal":"3","NoteData":"2014-12-27","Type":"Other","Title":"Modified"}]}}}