Multiple Schneider Electric Vulnerabilities Let Attackers Inject OS Commands

Multiple Schneider Electric Vulnerabilities Let Attackers Inject OS Commands

Schneider Electric has disclosed a critical set of six vulnerabilities affecting its EcoStruxure IT Data Center Expert software that could allow attackers to execute remote code and gain unauthorized system access.

The vulnerabilities, discovered in versions 8.3 and prior, present significant security risks to data center operations worldwide.

The most severe vulnerability, tracked as CVE-2025-50121, carries a perfect CVSS score of 10.0 and enables unauthenticated remote code execution through OS command injection.

Google News

This critical flaw occurs when malicious actors create specially crafted folders via the web interface when HTTP is enabled, though the protocol is disabled by default.

Additional vulnerabilities include insufficient entropy in password generation (CVE-2025-50122), code injection through hostname manipulation (CVE-2025-50123), and server-side request forgery attacks (CVE-2025-50125).

Schneider Electric analysts identified these vulnerabilities through comprehensive security research conducted by external researchers Jaggar Henry and Jim Becher from KoreLogic, Inc.

The company has acknowledged the severity of these findings and released detailed technical documentation outlining the attack vectors and potential impacts.

The vulnerabilities collectively affect the EcoStruxure IT Data Center Expert platform, which serves as scalable monitoring software for critical infrastructure equipment across numerous industrial environments.

OS Command Injection Mechanism

The primary attack vector centers on CVE-2025-50121’s OS command injection vulnerability, which exploits improper neutralization of special elements in system commands.

When HTTP is enabled on the web interface, attackers can manipulate folder creation processes to inject malicious commands directly into the underlying operating system.

This technique bypasses standard input validation mechanisms and grants immediate system-level access without authentication requirements.

The vulnerability manifests when the application processes user-supplied folder names without proper sanitization, allowing shell metacharacters to be interpreted as system commands.

For instance, folder names containing semicolons, pipes, or backticks can break out of the intended command context and execute arbitrary code with system privileges.

CVE ID CVSS v3.1 Score CVSS v4.0 Score Vulnerability Type Attack Vector
CVE-2025-50121 10.0 (Critical) 9.5 (Critical) OS Command Injection Network
CVE-2025-50122 8.3 (High) 8.9 (High) Insufficient Entropy Adjacent Network
CVE-2025-50123 7.2 (High) 7.2 (High) Code Injection Physical
CVE-2025-50125 7.2 (High) 6.3 (Medium) Server-Side Request Forgery Network
CVE-2025-50124 6.9 (Medium) 7.2 (High) Privilege Management Physical
CVE-2025-6438 6.8 (Medium) 5.9 (Medium) XML External Entity Network

Organizations must immediately upgrade to EcoStruxure IT Data Center Expert version 9.0, which addresses all identified vulnerabilities.

As interim mitigation, administrators should disable HTTP access and implement network segmentation controls following Schneider Electric’s cybersecurity best practices handbook.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now


Source link