Multiple Schneider Electric Vulnerabilities Let Attackers Inject OS Commands
Schneider Electric has disclosed a critical set of six vulnerabilities affecting its EcoStruxure IT Data Center Expert software that could allow attackers to execute remote code and gain unauthorized system access.
The vulnerabilities, discovered in versions 8.3 and prior, present significant security risks to data center operations worldwide.
The most severe vulnerability, tracked as CVE-2025-50121, carries a perfect CVSS score of 10.0 and enables unauthenticated remote code execution through OS command injection.
This critical flaw occurs when malicious actors create specially crafted folders via the web interface when HTTP is enabled, though the protocol is disabled by default.
Additional vulnerabilities include insufficient entropy in password generation (CVE-2025-50122), code injection through hostname manipulation (CVE-2025-50123), and server-side request forgery attacks (CVE-2025-50125).
Schneider Electric analysts identified these vulnerabilities through comprehensive security research conducted by external researchers Jaggar Henry and Jim Becher from KoreLogic, Inc.
The company has acknowledged the severity of these findings and released detailed technical documentation outlining the attack vectors and potential impacts.
The vulnerabilities collectively affect the EcoStruxure IT Data Center Expert platform, which serves as scalable monitoring software for critical infrastructure equipment across numerous industrial environments.
OS Command Injection Mechanism
The primary attack vector centers on CVE-2025-50121’s OS command injection vulnerability, which exploits improper neutralization of special elements in system commands.
When HTTP is enabled on the web interface, attackers can manipulate folder creation processes to inject malicious commands directly into the underlying operating system.
This technique bypasses standard input validation mechanisms and grants immediate system-level access without authentication requirements.
The vulnerability manifests when the application processes user-supplied folder names without proper sanitization, allowing shell metacharacters to be interpreted as system commands.
For instance, folder names containing semicolons, pipes, or backticks can break out of the intended command context and execute arbitrary code with system privileges.
| CVE ID | CVSS v3.1 Score | CVSS v4.0 Score | Vulnerability Type | Attack Vector |
|---|---|---|---|---|
| CVE-2025-50121 | 10.0 (Critical) | 9.5 (Critical) | OS Command Injection | Network |
| CVE-2025-50122 | 8.3 (High) | 8.9 (High) | Insufficient Entropy | Adjacent Network |
| CVE-2025-50123 | 7.2 (High) | 7.2 (High) | Code Injection | Physical |
| CVE-2025-50125 | 7.2 (High) | 6.3 (Medium) | Server-Side Request Forgery | Network |
| CVE-2025-50124 | 6.9 (Medium) | 7.2 (High) | Privilege Management | Physical |
| CVE-2025-6438 | 6.8 (Medium) | 5.9 (Medium) | XML External Entity | Network |
Organizations must immediately upgrade to EcoStruxure IT Data Center Expert version 9.0, which addresses all identified vulnerabilities.
As interim mitigation, administrators should disable HTTP access and implement network segmentation controls following Schneider Electric’s cybersecurity best practices handbook.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link
