Schneider Electric EcoStruxure IT Data Center Expert
Easy fix2 remedies
cpe:2.3:a:schneider-electric:data_center_expert:*:*:*:*:*:*:*, +1 more
Easy fix2 remedies
- <= 8.3
Schneider Electric EcoStruxure IT Data Center Expert OS Command Injection Vulnerability Allowing Remote Code Execution
Vulnerability
Patched
A command injection vulnerability has been identified in Schneider Electric's EcoStruxure IT Data Center Expert (DCE) software, specifically in versions through 8.3. This vulnerability, categorized as CWE-78, allows for unauthenticated remote code execution. The issue arises when a malicious folder is created via the web interface HTTP, which is disabled by default. Once HTTP is enabled and the folder is created, the vulnerability can be exploited to execute arbitrary code on the server.
Impact
Exploitation of this vulnerability could lead to unauthorized remote code execution on the affected server.
Remediation
Users can upgrade to version 9.0 of EcoStruxure IT Data Center Expert, which includes fixes for this vulnerability. This version is available upon request from Schneider Electric's Customer Care Center. Customers should also consult the EcoStruxure IT Data Center Expert Security Handbook for guidance on hardening their DCE instance against potential exploits.
Added: Jul 11, 2025, 10:22 AM
Updated: Jul 11, 2025, 10:22 AM
Vulnerability Rating
Custom Algorithm
spread
2.6impact
10.0exploitability
5.9remediation
7.9relevance
0.2threat
0.1urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.