Schneider Electrical has disclosed a crucial set of six vulnerabilities affecting its EcoStruxure IT Information Middle Professional software program that would permit attackers to execute distant code and achieve unauthorized system entry.
The vulnerabilities, found in variations 8.3 and prior, current vital safety dangers to information middle operations worldwide.
Probably the most extreme vulnerability, tracked as CVE-2025-50121, carries an ideal CVSS rating of 10.0 and allows unauthenticated distant code execution via OS command injection.
This crucial flaw happens when malicious actors create specifically crafted folders by way of the net interface when HTTP is enabled, although the protocol is disabled by default.
Further vulnerabilities embody inadequate entropy in password era (CVE-2025-50122), code injection via hostname manipulation (CVE-2025-50123), and server-side request forgery assaults (CVE-2025-50125).
Schneider Electrical analysts recognized these vulnerabilities via complete safety analysis performed by exterior researchers Jaggar Henry and Jim Becher from KoreLogic, Inc.
The corporate has acknowledged the severity of those findings and launched detailed technical documentation outlining the assault vectors and potential impacts.
The vulnerabilities collectively have an effect on the EcoStruxure IT Information Middle Professional platform, which serves as scalable monitoring software program for crucial infrastructure gear throughout quite a few industrial environments.
OS Command Injection Mechanism
The first assault vector facilities on CVE-2025-50121’s OS command injection vulnerability, which exploits improper neutralization of particular components in system instructions.
When HTTP is enabled on the net interface, attackers can manipulate folder creation processes to inject malicious instructions immediately into the underlying working system.
This system bypasses customary enter validation mechanisms and grants fast system-level entry with out authentication necessities.
The vulnerability manifests when the appliance processes user-supplied folder names with out correct sanitization, permitting shell metacharacters to be interpreted as system instructions.
As an illustration, folder names containing semicolons, pipes, or backticks can escape of the meant command context and execute arbitrary code with system privileges.
CVE IDCVSS v3.1 ScoreCVSS v4.0 ScoreVulnerability TypeAttack VectorCVE-2025-5012110.0 (Vital)9.5 (Vital)OS Command InjectionNetworkCVE-2025-501228.3 (Excessive)8.9 (Excessive)Inadequate EntropyAdjacent NetworkCVE-2025-501237.2 (Excessive)7.2 (Excessive)Code InjectionPhysicalCVE-2025-501257.2 (Excessive)6.3 (Medium)Server-Aspect Request ForgeryNetworkCVE-2025-501246.9 (Medium)7.2 (Excessive)Privilege ManagementPhysicalCVE-2025-64386.8 (Medium)5.9 (Medium)XML Exterior EntityNetwork
Organizations should instantly improve to EcoStruxure IT Information Middle Professional model 9.0, which addresses all recognized vulnerabilities.
As interim mitigation, directors ought to disable HTTP entry and implement community segmentation controls following Schneider Electrical’s cybersecurity greatest practices handbook.
Examine dwell malware conduct, hint each step of an assault, and make sooner, smarter safety selections -> Attempt ANY.RUN now
