Schneider Electric Flaws Expose Systems to OS Command Injection Attacks

Schneider Electric, a global leader in industrial technology and sustainability, has issued a critical security notification revealing multiple vulnerabilities in its EcoStruxure IT Data Center Expert (DCE) software, a scalable monitoring solution for data center equipment.

Released on July 8, 2025, under document reference SEVD-2025-189-01, the advisory details six severe flaws affecting versions 8.3 and prior of the product.

These vulnerabilities, if exploited, could lead to unauthorized access, information disclosure, and remote compromise, posing significant risks to operational continuity and data security in critical infrastructure environments.

Critical Vulnerabilities Identified

Among the most alarming issues is CVE-2025-50121, an OS Command Injection vulnerability (CWE-78) with a CVSS v3.1 score of 10 (Critical) and a CVSS v4.0 score of 9.5.

This flaw allows unauthenticated remote code execution through the web interface when HTTP is enabled, though it is disabled by default.

Another critical concern is CVE-2025-50122, an Insufficient Entropy vulnerability (CWE-331) with a CVSS v3.1 score of 8.3 (High), which could enable attackers to reverse-engineer root passwords using installation or upgrade artifacts.

Additionally, CVE-2025-50123 (Code Injection, CWE-94) and CVE-2025-50124 (Improper Privilege Management, CWE-269) expose systems to remote command execution and privilege escalation risks, particularly when accessed by privileged accounts via console or specific scripts.

Privilege Escalation Risks

CVE-2025-50125 highlights a Server-Side Request Forgery (SSRF, CWE-918) issue, enabling unauthenticated remote code execution through manipulated host request headers, while CVE-2025-6438 reveals an XML External Entity (XXE, CWE-611) flaw that could result in unauthorized file access via SOAP API manipulation.

These vulnerabilities collectively underscore the urgent need for remediation to prevent catastrophic breaches in data center operations.

Schneider Electric has released version 9.0 of EcoStruxure IT Data Center Expert to address these issues, available through their Customer Care Center.

The company urges customers to apply the upgrade using robust methodologies, including testing in development environments and maintaining backups to mitigate deployment risks.

For those unable to update immediately, Schneider recommends hardening DCE instances per the EcoStruxure IT Data Center Expert Security Handbook and adopting cybersecurity best practices.

These include isolating control systems behind firewalls, restricting physical access to equipment, using secure remote access methods like VPNs, and minimizing internet exposure of critical devices.

The notification also credits researchers Jaggar Henry and Jim Becher from KoreLogic, Inc., for identifying these flaws and aiding in a coordinated response.

Schneider Electric emphasizes that while the base severity scores are provided, end-users should evaluate environmental metrics to assess the specific impact on their systems.

For further assistance, customers are directed to contact Schneider’s Industrial Cybersecurity Services or visit their cybersecurity support portal.

This incident serves as a stark reminder of the evolving threat landscape in industrial IoT and the importance of proactive security measures to safeguard critical infrastructure from sophisticated cyber threats.

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.