1. EXECUTIVE SUMMARY
- CVSS v4 9.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Schneider Electric
- Equipment: EcoStruxure IT Data Center Expert
- Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Insufficient Entropy, Improper Control of Generation of Code (‘Code Injection’), Server-Side Request Forgery (SSRF), Improper Privilege Management, and Improper Restriction of XML External Entity Reference
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to disrupt operations and access system data.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports the following product is affected:
- EcoStruxure IT Data Center Expert: Versions v8.3 and prior
3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
An improper neutralization of special elements used in an OS command (‘OS command injection’) vulnerability exists, which could cause unauthenticated remote code execution when a malicious folder is created via the HTTP web interface when enabled. HTTP is disabled by default.
CVE-2025-50121 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-50121. A base score of 9.5 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories