Schneider Electric EcoStruxure PME and EPO
Summary
Schneider Electric has identified a deserialization vulnerability in its EcoStruxure Power Monitoring Expert (PME) and EcoStruxure Power Operation (EPO) software. Exploiting this flaw could allow a local attacker to execute arbitrary code with administrative privileges, potentially leading to system compromise, operational disruption, or unauthorized control. The affected versions span across PME 2022 through 2024 and EPO's Advanced Reporting and Dashboards Module.
IFF Assessment
This vulnerability allows for arbitrary code execution and administrative control, posing a significant risk to critical infrastructure systems.
Severity
Defender Context
Defenders managing Schneider Electric's EcoStruxure PME and EPO systems must prioritize applying the vendor's fix to mitigate the risk of local arbitrary code execution. This highlights the importance of patching and secure configuration for operational technology (OT) environments, especially those within critical infrastructure sectors, to prevent unauthorized access and operational disruptions.