Schneider Electric EcoStruxure Power Products Path Traversal Vulnerability Leading to Remote Code Execution

A path traversal vulnerability allowing remote code execution has been identified in Schneider Electric's EcoStruxure Power Monitoring Expert (PME) 2022, 2023, 2024, and 2024 R2 versions, as well as in EcoStruxure Power Operation (EPO) 2022 and 2024 with the Advanced Reporting and Dashboards Module. This vulnerability arises from improper limitations on file paths, enabling authenticated attackers with admin privileges to upload malicious files via HTTP, which are then executed on the server.

Impact

Exploitation of this vulnerability could lead to unauthorized remote code execution on the affected system.

Remediation

Users are advised to upgrade to the latest version of EcoStruxure Power Monitoring Expert (PME) 2024 R2 or to apply Hotfix_269509_Release_13.1 and Hotfix_269476_Release_13.1, available through the Schneider Electric Customer Care Center. For EcoStruxure Power Operation, the same hotfixes can be applied, but customers should first verify if they are running the 2024 version with the Advanced Reporting Module.