Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation TGML Diagram Access Vulnerability

A vulnerability exists in Schneider Electric's EcoStruxure Power Monitoring Expert (PME) and Power Operation (EPO) products, specifically in multi-tenant deployments. This vulnerability, categorized as CWE-668, exposes TGML diagram resources to the wrong control sphere, allowing other authenticated users inappropriate access to these diagrams. The issue is present in EcoStruxure Power Monitoring Expert versions 2023, 2023 R2, 2024, and 2024 R2, as well as EcoStruxure Power Operation 2022 and 2024 with the Advanced Reporting and Dashboards Module.

Impact

Exploitation of this vulnerability could lead to unauthorized access to TGML diagrams by other authenticated users within the same control sphere.

Remediation

Users can contact Schneider Electric's Customer Care Center to download the hotfixes available for each affected version. For EcoStruxure Power Operation 2022 and 2024 with Advanced Reporting, it's necessary to update EcoStruxure Power Monitoring Expert separately and apply the appropriate hotfix.