All CISA Advisories, EN

Schneider Electric EcoStruxure Power Operation

2025-07-22 21:07

1. EXECUTIVE SUMMARY

CVSS v3 8.8
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation
Vendor: Schneider Electric
Equipment: EcoStruxure Power Operation
Vulnerabilities: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’), Integer Overflow to Buffer Overflow, Improper Handling of Highly Compressed Data (Data Amplification), Out-of-bounds Write, Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in the loss of system functionality or unauthorized access to system functions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports the following products use an affected version of the PostgreSQL database server:

EcoStruxure Power Operation (EPO): 2022 CU6 and prior
EcoStruxure Power Operation (EPO): 2024 CU1 and prior

3.2 Vulnerability Overview

3.2.1 Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) CWE-95

Pillow Version 10.1.0 allows PIL.ImageMath.eval arbitrary code execution via the environment parameter. This is a different vulnerability from CVE-2022-22817, which pertains to the expression parameter.

CVE-2023-50447 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 Integer Overflow to Buffer Overflow CWE-680[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from All CISA Advisories

Read the original article:

Schneider Electric EcoStruxure Power Operation

Tags: All CISA Advisories EN

Post navigation

← Schneider Electric EcoStruxture IT Data Center Expert

CISA Adds Two Known Exploited Vulnerabilities to Catalog →

Search for:
Pages

Advertising

Contact

Legal and Contact information

Opt-out preferences

Privacy Policy

Social Media

Apps

Telegram Channel

Recent Posts

10 Best Dark Web Monitoring Tools in 2025 August 3, 2025

IT Security News Hourly Summary 2025-08-03 06h : 1 posts August 3, 2025

How Secure Are Your Non-Human Identities? August 3, 2025

New Linux backdoor Plague bypasses auth via malicious PAM module August 3, 2025

China Presses Nvidia Over Alleged Backdoors in H20 Chips Amid Tech Tensions August 3, 2025

BSidesSF 2025: Mapping The SaaS Attack Surface August 3, 2025

IT Security News Hourly Summary 2025-08-02 21h : 1 posts August 2, 2025

New Attack Uses Windows Shortcut Files to Install REMCOS Backdoor August 2, 2025

AI-supported Cursor IDE Falls Victim to Prompt Injection Attacks August 2, 2025

Misconfigured Firewalls Plague Enterprises, Exposing Critical Security Gaps August 2, 2025

CL-STA-0969 Installs Covert Malware in Telecom Networks During 10-Month Espionage Campaign August 2, 2025

IT Security News Hourly Summary 2025-08-02 18h : 3 posts August 2, 2025

FBI Issues Urgent Warning: Millions of Android Devices Compromised by Malware Operation August 2, 2025

Luxembourg Probes Cyberattack Behind Telecom Outage, Cites “Exceptionally Sophisticated” Assault August 2, 2025

FBI Warns Chrome Users Against Unofficial Updates Downloading August 2, 2025

Ransomware Defence Begins with Fundamentals Not AI August 2, 2025

Singapore Companies Struggle to Recover from Ransomware Despite Paying Hackers August 2, 2025

New ‘Plague’ PAM Backdoor Exposes Critical Linux Systems to Silent Credential Theft August 2, 2025

IT Security News Hourly Summary 2025-08-02 15h : 1 posts August 2, 2025

OT Security: Guide For Critical Infrastructure August 2, 2025

Copyright © 2025 IT Security News. All Rights Reserved. The Magazine Basic Theme by bavotasan.com.

Manage Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

Manage options Manage services Manage {vendor_count} vendors Read more about these purposes

View preferences

{title} {title} {title}