Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0676
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Schneider Electric. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Schneider Electric | N/A | Modbus/TCP Ethernet Modicon M340 FactoryCast module versions antérieures à 6.80 | ||
| Schneider Electric | N/A | Schneider Electric Software Update (SESU) versions antérieures à 3.0.12 | ||
| Schneider Electric | N/A | EcoStruxure Building Operation Enterprise Central versions 7.x antérieures à 7.0.2.348 | ||
| Schneider Electric | N/A | Modicon M340 X80 Ethernet Communication modules toutes versions pour la vulnérabilité CVE-2025-6625 | ||
| Schneider Electric | N/A | EcoStruxure Building Operation Enterprise Server versions 7.x antérieures à 7.0.2.348 | ||
| Schneider Electric | N/A | EcoStruxure Building Operation Enterprise Server versions 5.x antérieures à 5.0.3.17009 (CP16) | ||
| Schneider Electric | N/A | Modbus/TCP Ethernet Modicon M340 module versions antérieures à 3.60 | ||
| Schneider Electric | N/A | EcoStruxure Building Operation Workstation versions versions 6.x antérieures à 6.0.4.10001 (CP8) | ||
| Schneider Electric | N/A | M580 Global Data module toutes versions pour la vulnérabilité CVE-2025-6625 | ||
| Schneider Electric | N/A | EcoStruxure Building Operation Enterprise Central versions 5.x antérieures à 5.0.3.17009 (CP16) | ||
| Schneider Electric | N/A | EcoStruxure Building Operation Workstation versions 7.x antérieures à 7.0.2.348 | ||
| Schneider Electric | N/A | Modicon M340 toutes versions pour la vulnérabilité CVE-2025-6625 | ||
| Schneider Electric | N/A | EcoStruxure Building Operation Workstation versions 5.x antérieures à 5.0.3.17009 (CP16) | ||
| Schneider Electric | N/A | EcoStruxure Power Monitoring Expert (PME) versions antérieures à 2024 avec les derniers correctifs de sécurité | ||
| Schneider Electric | N/A | EcoStruxure Building Operation Enterprise Central versions 6.x antérieures à 6.0.4.10001 (CP8) |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Modbus/TCP Ethernet Modicon M340 FactoryCast module versions ant\u00e9rieures \u00e0 6.80",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Schneider Electric Software Update (SESU) versions ant\u00e9rieures \u00e0 3.0.12",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Building Operation Enterprise Central versions 7.x ant\u00e9rieures \u00e0 7.0.2.348",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Modicon M340 X80 Ethernet Communication modules toutes versions pour la vuln\u00e9rabilit\u00e9 CVE-2025-6625",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Building Operation Enterprise Server versions 7.x ant\u00e9rieures \u00e0 7.0.2.348",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Building Operation Enterprise Server versions 5.x ant\u00e9rieures \u00e0 5.0.3.17009 (CP16)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Modbus/TCP Ethernet Modicon M340 module versions ant\u00e9rieures \u00e0 3.60",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Building Operation Workstation versions versions 6.x ant\u00e9rieures \u00e0 6.0.4.10001 (CP8)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "M580 Global Data module toutes versions pour la vuln\u00e9rabilit\u00e9 CVE-2025-6625",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Building Operation Enterprise Central versions 5.x ant\u00e9rieures \u00e0 5.0.3.17009 (CP16)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Building Operation Workstation versions 7.x ant\u00e9rieures \u00e0 7.0.2.348",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "Modicon M340 toutes versions pour la vuln\u00e9rabilit\u00e9 CVE-2025-6625",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Building Operation Workstation versions 5.x ant\u00e9rieures \u00e0 5.0.3.17009 (CP16)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Power Monitoring Expert (PME) versions ant\u00e9rieures \u00e0 2024 avec les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
},
{
"description": "EcoStruxure Building Operation Enterprise Central versions 6.x ant\u00e9rieures \u00e0 6.0.4.10001 (CP8)",
"product": {
"name": "N/A",
"vendor": {
"name": "Schneider Electric",
"scada": true
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-8448",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8448"
},
{
"name": "CVE-2025-6625",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6625"
},
{
"name": "CVE-2025-54927",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54927"
},
{
"name": "CVE-2025-54923",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54923"
},
{
"name": "CVE-2025-5296",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5296"
},
{
"name": "CVE-2025-54926",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54926"
},
{
"name": "CVE-2025-8449",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8449"
},
{
"name": "CVE-2025-54924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54924"
},
{
"name": "CVE-2025-54925",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54925"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0676",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-08-12T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Schneider Electric. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Schneider Electric",
"vendor_advisories": [
{
"published_at": "2025-08-12",
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2025-224-05",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-05\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-05.pdf"
},
{
"published_at": "2025-08-12",
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2025-224-02",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-02.pdf"
},
{
"published_at": "2025-08-11",
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2025-224-03",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-03.pdf"
},
{
"published_at": "2025-08-12",
"title": "Bulletin de s\u00e9curit\u00e9 Schneider Electric SEVD-2025-224-04",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-04.pdf"
}
]
}
CVE-2025-54926 (GCVE-0-2025-54926)
Vulnerability from cvelistv5 – Published: 2025-08-20 13:48 – Updated: 2025-08-20 17:21
VLAI?
EPSS
Summary
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause remote code execution when an authenticated attacker with admin privileges uploads a malicious file over HTTP which then gets executed.
Severity ?
7.2 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Schneider Electric | EcoStruxure™ Power Monitoring Expert (PME) |
Affected:
Version 2022
Affected: Version 2023 Affected: Version 2024 Affected: Version 2024 R2 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54926",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T17:21:43.158876Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T17:21:50.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Monitoring Expert (PME)",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 2022"
},
{
"status": "affected",
"version": "Version 2023"
},
{
"status": "affected",
"version": "Version 2024"
},
{
"status": "affected",
"version": "Version 2024 R2"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Operation (EPO) Advanced Reporting and Dashboards Module",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 2022 w/ Advanced Reporting Module"
},
{
"status": "affected",
"version": "Version 2024 w/ Advanced Reporting Module"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could cause remote code execution when an authenticated attacker with admin privileges uploads a malicious file over HTTP which then gets executed."
}
],
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could cause remote code execution when an authenticated attacker with admin privileges uploads a malicious file over HTTP which then gets executed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T13:48:02.393Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-02.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-54926",
"datePublished": "2025-08-20T13:48:02.393Z",
"dateReserved": "2025-08-01T04:38:47.036Z",
"dateUpdated": "2025-08-20T17:21:50.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54924 (GCVE-0-2025-54924)
Vulnerability from cvelistv5 – Published: 2025-08-20 13:39 – Updated: 2025-08-20 17:22
VLAI?
EPSS
Summary
CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthorized access to sensitive data when an attacker sends a specially crafted document to a vulnerable endpoint.
Severity ?
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Schneider Electric | EcoStruxure™ Power Monitoring Expert (PME) |
Affected:
Version 2022
Affected: Version 2023 Affected: Version 2024 Affected: Version 2024 R2 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T17:22:28.618615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T17:22:38.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Monitoring Expert (PME)",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 2022"
},
{
"status": "affected",
"version": "Version 2023"
},
{
"status": "affected",
"version": "Version 2024"
},
{
"status": "affected",
"version": "Version 2024 R2"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Operation (EPO) Advanced Reporting and Dashboards Module",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 2022 w/ Advanced Reporting Module"
},
{
"status": "affected",
"version": "Version 2024 w/ Advanced Reporting Module"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthorized access to sensitive data when an attacker sends a specially crafted document to a vulnerable endpoint."
}
],
"value": "CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthorized access to sensitive data when an attacker sends a specially crafted document to a vulnerable endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T13:44:53.863Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-02.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-54924",
"datePublished": "2025-08-20T13:39:10.986Z",
"dateReserved": "2025-08-01T04:38:47.036Z",
"dateUpdated": "2025-08-20T17:22:38.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54927 (GCVE-0-2025-54927)
Vulnerability from cvelistv5 – Published: 2025-08-20 13:51 – Updated: 2025-08-20 17:21
VLAI?
EPSS
Summary
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause unauthorized access to sensitive files when an authenticated attackers uses a crafted path input that is processed by the system.
Severity ?
4.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Schneider Electric | EcoStruxure™ Power Monitoring Expert (PME) |
Affected:
Version 2022
Affected: Version 2023 Affected: Version 2024 Affected: Version 2024 R2 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54927",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T17:21:22.824724Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T17:21:29.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Monitoring Expert (PME)",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 2022"
},
{
"status": "affected",
"version": "Version 2023"
},
{
"status": "affected",
"version": "Version 2024"
},
{
"status": "affected",
"version": "Version 2024 R2"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Operation (EPO) Advanced Reporting and Dashboards Module",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 2022 w/ Advanced Reporting Module"
},
{
"status": "affected",
"version": "Version 2024 w/ Advanced Reporting Module"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could cause unauthorized access to sensitive files when an authenticated attackers uses a crafted path input that is processed by the system."
}
],
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could cause unauthorized access to sensitive files when an authenticated attackers uses a crafted path input that is processed by the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T13:51:04.959Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-02.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-54927",
"datePublished": "2025-08-20T13:51:04.959Z",
"dateReserved": "2025-08-01T04:38:47.036Z",
"dateUpdated": "2025-08-20T17:21:29.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8449 (GCVE-0-2025-8449)
Vulnerability from cvelistv5 – Published: 2025-08-20 13:55 – Updated: 2025-09-09 20:50
VLAI?
EPSS
Summary
CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service when an authenticated user sends a specially crafted request to a specific endpoint from within the BMS network.
Severity ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Schnieder Electric | EcoStruxure Building Operation Enterprise Server |
Affected:
All 7.x versions , < 7.0.2.348
(version)
Unaffected: All 6.x versions , < 6.0.4.10001 (CP8) (version) Affected: All 5.x versions , < 5.0.3.17009 (CP16) (version) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8449",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T17:10:39.552635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T17:10:46.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Building Operation Enterprise Server",
"vendor": "Schnieder Electric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "affected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "unaffected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Enterprise Server",
"vendor": "Schneider Electric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "unaffected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "affected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Building Operation Workstation",
"vendor": "Schneider Eelctric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "affected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "affected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service when an authenticated user sends a specially crafted request to a specific endpoint from within the BMS network."
}
],
"value": "CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service when an authenticated user sends a specially crafted request to a specific endpoint from within the BMS network."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T20:50:55.766Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-04.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-8449",
"datePublished": "2025-08-20T13:55:34.397Z",
"dateReserved": "2025-07-31T21:02:44.262Z",
"dateUpdated": "2025-09-09T20:50:55.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5296 (GCVE-0-2025-5296)
Vulnerability from cvelistv5 – Published: 2025-08-18 07:22 – Updated: 2025-08-18 12:22
VLAI?
EPSS
Summary
CWE-59: Improper Link Resolution Before File Access ('Link Following') vulnerability exists that could cause
arbitrary data to be written to protected locations, potentially leading to escalation of privilege, arbitrary file
corruption, exposure of application and system information or persistent denial of service when a low-privileged
attacker tampers with the installation folder.
Severity ?
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schneider Electric | SESU |
Affected:
Versions prior to v3.0.12
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5296",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T12:22:15.242244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T12:22:22.123Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SESU",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions prior to v3.0.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027) vulnerability exists that could cause \narbitrary data to be written to protected locations, potentially leading to escalation of privilege, arbitrary file \ncorruption, exposure of application and system information or persistent denial of service when a low-privileged \nattacker tampers with the installation folder.\n\n\u003cbr\u003e"
}
],
"value": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027) vulnerability exists that could cause \narbitrary data to be written to protected locations, potentially leading to escalation of privilege, arbitrary file \ncorruption, exposure of application and system information or persistent denial of service when a low-privileged \nattacker tampers with the installation folder."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T07:22:05.013Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-03.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-5296",
"datePublished": "2025-08-18T07:22:05.013Z",
"dateReserved": "2025-05-28T06:06:42.804Z",
"dateUpdated": "2025-08-18T12:22:22.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6625 (GCVE-0-2025-6625)
Vulnerability from cvelistv5 – Published: 2025-08-18 06:58 – Updated: 2025-08-18 12:22
VLAI?
EPSS
Summary
CWE-20: Improper Input Validation vulnerability exists that could cause a Denial Of Service when specific
crafted FTP command is sent to the device.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Schneider Electric | Modicon M340 |
Affected:
All versions
|
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6625",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T12:22:44.912415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T12:22:54.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Modicon M340",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "BMXNOR0200H: Ethernet / Serial RTU Module",
"vendor": "Schneider ELectric",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "BMXNGD0100: M580 Global Data module",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "BMXNOC0401: Modicon M340 X80 Ethernet Communication modules",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "BMXNOE0100: Modbus/TCP Ethernet Modicon M340 module",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions prior to 3.60"
}
]
},
{
"defaultStatus": "unaffected",
"product": "BMXNOE0110: Modbus/TCP Ethernet Modicon M340 FactoryCast module",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions prior to 6.80"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-20: Improper Input Validation vulnerability exists that could cause a Denial Of Service when specific\ncrafted FTP command is sent to the device.\n\n\u003cbr\u003e"
}
],
"value": "CWE-20: Improper Input Validation vulnerability exists that could cause a Denial Of Service when specific\ncrafted FTP command is sent to the device."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T06:58:15.222Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-05\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-05.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-6625",
"datePublished": "2025-08-18T06:58:15.222Z",
"dateReserved": "2025-06-25T10:08:00.547Z",
"dateUpdated": "2025-08-18T12:22:54.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54923 (GCVE-0-2025-54923)
Vulnerability from cvelistv5 – Published: 2025-08-20 13:30 – Updated: 2025-08-20 17:23
VLAI?
EPSS
Summary
CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution and compromise of system integrity when authenticated users send crafted data to a network-exposed service that performs unsafe deserialization.
Severity ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Schneider Electric | EcoStruxure™ Power Monitoring Expert (PME) |
Affected:
Version 2022
Affected: Version 2023 Affected: Version 2024 Affected: Version 2024 R2 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54923",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T17:22:56.459372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T17:23:04.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Monitoring Expert (PME)",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 2022"
},
{
"status": "affected",
"version": "Version 2023"
},
{
"status": "affected",
"version": "Version 2024"
},
{
"status": "affected",
"version": "Version 2024 R2"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Operation (EPO) Advanced Reporting and Dashboards Module",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 2022 w/ Advanced Reporting Module"
},
{
"status": "affected",
"version": "Version 2024 w/ Advanced Reporting Module"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution and compromise of system integrity when authenticated users send crafted data to a network-exposed service that performs unsafe deserialization."
}
],
"value": "CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution and compromise of system integrity when authenticated users send crafted data to a network-exposed service that performs unsafe deserialization."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T13:44:42.905Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-02.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-54923",
"datePublished": "2025-08-20T13:30:04.988Z",
"dateReserved": "2025-08-01T04:38:47.036Z",
"dateUpdated": "2025-08-20T17:23:04.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54925 (GCVE-0-2025-54925)
Vulnerability from cvelistv5 – Published: 2025-08-20 13:44 – Updated: 2025-08-20 17:22
VLAI?
EPSS
Summary
CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthorized access to sensitive data when an attacker configures the application to access a malicious url.
Severity ?
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Schneider Electric | EcoStruxure™ Power Monitoring Expert (PME) |
Affected:
Version 2022
Affected: Version 2023 Affected: Version 2024 Affected: Version 2024 R2 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54925",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T17:22:07.997830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T17:22:14.962Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Monitoring Expert (PME)",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 2022"
},
{
"status": "affected",
"version": "Version 2023"
},
{
"status": "affected",
"version": "Version 2024"
},
{
"status": "affected",
"version": "Version 2024 R2"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Operation (EPO) Advanced Reporting and Dashboards Module",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 2022 w/ Advanced Reporting Module"
},
{
"status": "affected",
"version": "Version 2024 w/ Advanced Reporting Module"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthorized access to sensitive data when an attacker configures the application to access a malicious url."
}
],
"value": "CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthorized access to sensitive data when an attacker configures the application to access a malicious url."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T13:44:21.662Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-02.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-54925",
"datePublished": "2025-08-20T13:44:21.662Z",
"dateReserved": "2025-08-01T04:38:47.036Z",
"dateUpdated": "2025-08-20T17:22:14.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8448 (GCVE-0-2025-8448)
Vulnerability from cvelistv5 – Published: 2025-08-20 13:58 – Updated: 2025-09-09 20:55
VLAI?
EPSS
Summary
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause unauthorized access to sensitive credential data when an attacker is able to capture local SMB traffic between a valid user within the BMS network and the vulnerable products.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Schneider Eelctric | EcoStruxure Building Operation Enterprise Server |
Affected:
All 7.x versions , < 7.0.2.348
(version)
Affected: All 6.x versions , < 6.0.4.10001 (CP8) (version) Affected: All 5.x versions , < 5.0.3.17009 (CP16) (version) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T15:51:48.499459Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:51:53.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Building Operation Enterprise Server",
"vendor": "Schneider Eelctric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "affected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "affected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Enterprise Server",
"vendor": "Schneider Electric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "affected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "affected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Building Operation Workstation",
"vendor": "Schneider Eelctric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "affected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "affected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause unauthorized access to sensitive credential data when an attacker is able to capture local SMB traffic between a valid user within the BMS network and the vulnerable products."
}
],
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause unauthorized access to sensitive credential data when an attacker is able to capture local SMB traffic between a valid user within the BMS network and the vulnerable products."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 1,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T20:55:43.384Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-04.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-8448",
"datePublished": "2025-08-20T13:58:53.818Z",
"dateReserved": "2025-07-31T21:02:43.599Z",
"dateUpdated": "2025-09-09T20:55:43.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…