Schneider Electric EcoStruxure Power Products Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Schneider Electric's EcoStruxure Power Monitoring Expert (PME) 2022, 2023, 2024, and 2024 R2 versions, as well as in EcoStruxure Power Operation (EPO) 2022 and 2024 with the Advanced Reporting and Dashboards Module. This vulnerability could allow unauthorized access to sensitive data by exploiting a vulnerable endpoint with a specially crafted document.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive data.

Remediation

Users can upgrade to EcoStruxure Power Monitoring Expert (PME) 2024 R2 or apply Hotfix_269509_Release_13.1 and Hotfix_269476_Release_13.1 for EcoStruxure Power Operation (EPO) 2024 with the Advanced Reporting and Dashboards Module. For EcoStruxure Power Monitoring Expert (PME) 2022, which is no longer supported, customers should apply recommended cybersecurity hardening guidelines and consider upgrading to a supported version.