Schneider Electric EcoStruxure Power Products Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Schneider Electric's EcoStruxure Power Monitoring Expert (PME) 2022, 2023, 2024, and 2024 R2 versions, as well as in EcoStruxure Power Operation (EPO) 2022 and 2024 with the Advanced Reporting and Dashboards Module. This vulnerability allows attackers to configure the application to access malicious URLs, potentially leading to unauthorized access to sensitive data.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive data.

Remediation

Users are advised to upgrade to the latest version of EcoStruxure Power Monitoring Expert (PME) 2024 R2, which includes a fix for this vulnerability. For EcoStruxure Power Operation, the update must be applied separately from Power Monitoring Expert. Customers should contact Schneider Electric's Customer Care Center for assistance with the hotfix. Additionally, it is recommended to follow cybersecurity hardening guidelines, ensure PME is running in an isolated network, deploy and configure the Windows firewall to limit access to appropriate network segments, enforce complex password policies, review server access permissions, and apply the principle of least privilege.