Schneider Electric has issued an urgent security notification on July 8, 2025, disclosing the discovery of several critical vulnerabilities affecting its widely deployed EcoStruxureâ„¢ IT Data Center Expert (DCE) platform.
The vulnerabilities, which impact versions 8.3 and prior, could allow attackers to remotely execute arbitrary OS commands, elevate privileges, and access sensitive system data, posing significant risks to the integrity and availability of data center environments.
Vulnerability Overview
The most severe of the vulnerabilities, tracked as CVE-2025-50121, is an unauthenticated OS command injection flaw stemming from improper input neutralization (CWE-78).
With a maximum CVSS v3.1 base score of 10 and a v4.0 score of 9.5, this issue permits remote code execution over HTTP if the protocol is enabled although HTTP is disabled by default.
Attackers could create malicious folders via the web interface to take complete control of affected systems, potentially leading to operational disruption and unauthorized access to system data.
Additional high and medium-severity vulnerabilities compound the threat. CVE-2025-50122, an insufficient entropy vulnerability (CWE-331), risks root password discovery if an attacker reverse-engineers the password generation algorithm with access to installation or upgrade files.
Code injection (CWE-94) via the console through exploitation of hostname input (CVE-2025-50123) and improper privilege management (CWE-269, CVE-2025-50124) could enable privileged users to execute arbitrary system commands or escalate privileges.
An SSRF flaw (CWE-918, CVE-2025-50125) exposes the server to unauthenticated remote code execution when certain hidden URLs are improperly handled, and a XXE vulnerability (CWE-611, CVE-2025-6438) could lead to unauthorized file access through manipulated SOAP API calls and XML injection.
Remediation and Recommendations
Schneider Electric has released version 9.0 of EcoStruxureâ„¢ IT Data Center Expert, which remedies all identified vulnerabilities.
The upgraded software is now available through the Schneider Electric Customer Care Center. The organization strongly advises customers to promptly upgrade, emphasizing the importance of backup and thorough validation in test environments prior to deployment.
Customers unable to patch immediately are urged to harden their DCE installations using recommendations from Schneider’s Security Handbook and implement robust segmentation and secured network practices to limit potential exposure.
Industry best practices are reiterated, including firewall placement to isolate control and safety networks, physical device security, restricted network access for programming software, and rigorous sanitation of mobile devices and removable media.
The company stresses that connections from business networks or the broader internet should be tightly controlled, and secure, up-to-date VPN solutions should be used for any remote access.
The vulnerabilities were responsibly disclosed by Jaggar Henry and Jim Becher of KoreLogic, Inc.
Schneider Electric encourages customers needing more information to reach out via their cybersecurity services portal.
This incident underscores the critical importance of rapid vulnerability management and ongoing vigilance for organizations leveraging industrial automation and infrastructure management solutions.
Schneider Electric maintains its commitment to security, sustainability, and efficiency, supporting customers worldwide with resilient, digitally enabled data center and industrial technologies.
For ongoing updates, users are advised to monitor official Schneider Electric communication channels.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
