Schneider Electric EcoStruxure Power Monitoring Expert, Power Operation, and Power SCADA Operation Remote Code Execution Vulnerability

A deserialization vulnerability allowing remote code execution has been identified in Schneider Electric's EcoStruxure Power Monitoring Expert (PME) 2022, 2023, 2024, and 2024 R2 versions, as well as in the Power Operation (EPO) and Power SCADA Operation (PSO) products with the Advanced Reporting and Dashboards Module. This vulnerability arises when authenticated users send crafted data to a network-exposed service that performs unsafe deserialization, potentially compromising system integrity.

Impact

Exploitation of this vulnerability could lead to unauthorized remote code execution on the affected system, allowing an attacker to execute arbitrary code and potentially take control of the system.

Remediation

Users can upgrade to EcoStruxure Power Monitoring Expert (PME) 2024 R2, which includes a fix for this vulnerability. For those using EcoStruxure Power Operation, the update must be applied separately from Power Monitoring Expert. Customers should also follow the cybersecurity hardening guidelines provided with the product, ensure PME is running in an isolated network, deploy and configure the Windows firewall to limit access to appropriate network segments, enforce complex password policies, review server access permissions, and conduct regular audits of Windows-authenticated users with access to PME.