Search criteria
727 vulnerabilities
CVE-2026-6332 (GCVE-0-2026-6332)
Vulnerability from cvelistv5 – Published: 2026-05-14 16:54 – Updated: 2026-05-14 18:37
VLAI
Title
Clear Text Storage of Sensitive Information on EcoStruxure™ Machine Expert HVAC
Summary
CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized attacker accesses the source code for editing or compiling it.
Severity
CWE
- CWE-312 - Cleartext storage of sensitive information
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | Ecostruxure™ Machine Expert HVAC |
Affected:
Versions prior to 1.10.0
|
Date Public
2026-05-12 16:49
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6332",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T18:37:08.735767Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T18:37:23.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ecostruxure\u2122 Machine Expert HVAC",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions prior to 1.10.0"
}
]
}
],
"datePublic": "2026-05-12T16:49:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized attacker accesses the source code for editing or compiling it."
}
],
"value": "CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized attacker accesses the source code for editing or compiling it."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext storage of sensitive information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T16:54:50.465Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-132-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-132-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Clear Text Storage of Sensitive Information on EcoStruxure\u2122 Machine Expert HVAC",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-6332",
"datePublished": "2026-05-14T16:54:50.465Z",
"dateReserved": "2026-04-15T07:55:30.087Z",
"dateUpdated": "2026-05-14T18:37:23.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6866 (GCVE-0-2026-6866)
Vulnerability from cvelistv5 – Published: 2026-05-12 13:59 – Updated: 2026-05-12 15:43
VLAI
Title
Initialization of a Resource with an Insecure Default vulnerability on EcoStruxure™ Panel Server
Summary
CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could cause unauthorized disclosure of sensitive information when credentials revert to initial settings in rare circumstances, enabling unauthorized authentication using known credentials.
Severity
CWE
- CWE-1188 - Initialization of a resource with an insecure default
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | EcoStruxure™ Panel Server |
Affected:
Versions 002.005.000 and prior
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6866",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T15:43:29.539824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T15:43:40.858Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"PAS400",
"PAS600",
"PAS600V2",
"PAS800",
"PAS800V2"
],
"product": "EcoStruxure\u2122 Panel Server",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions 002.005.000 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could cause unauthorized disclosure of sensitive information when credentials revert to initial settings in rare circumstances, enabling unauthorized authentication using known credentials."
}
],
"value": "CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could cause unauthorized disclosure of sensitive information when credentials revert to initial settings in rare circumstances, enabling unauthorized authentication using known credentials."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188 Initialization of a resource with an insecure default",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T13:59:33.610Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-132-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-132-04.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Initialization of a Resource with an Insecure Default vulnerability on EcoStruxure\u2122 Panel Server",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-6866",
"datePublished": "2026-05-12T13:59:33.610Z",
"dateReserved": "2026-04-22T16:17:46.134Z",
"dateUpdated": "2026-05-12T15:43:40.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6865 (GCVE-0-2026-6865)
Vulnerability from cvelistv5 – Published: 2026-05-12 12:29 – Updated: 2026-05-12 14:36
VLAI
Title
Improper Limitation of a Pathname to a Restricted Directory Vulnerability on Multiple Products
Summary
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability that could cause unauthorized access to sensitive files when user-supplied input is improperly handled during server-side file path processing.
Severity
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”)
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | EasyLogic T150 (formerly Saitel DR) Remote Terminal Unit & Controller |
Affected:
Versions 11.06.31 and prior
|
|
| Schneider Electric | Saitel DP Remote Terminal Unit & Controller |
Affected:
Versions 11.06.36 and prior
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T14:35:42.694103Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T14:36:00.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EasyLogic T150 (formerly Saitel DR) Remote Terminal Unit \u0026 Controller",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions 11.06.31 and prior"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Saitel DP Remote Terminal Unit \u0026 Controller",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions 11.06.36 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u201cPath Traversal\u201d) vulnerability that could cause unauthorized access to sensitive files when user-supplied input is improperly handled during server-side file path processing."
}
],
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u201cPath Traversal\u201d) vulnerability that could cause unauthorized access to sensitive files when user-supplied input is improperly handled during server-side file path processing."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u201cPath Traversal\u201d)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:29:51.590Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-132-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-132-03.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Limitation of a Pathname to a Restricted Directory Vulnerability on Multiple Products",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-6865",
"datePublished": "2026-05-12T12:29:51.590Z",
"dateReserved": "2026-04-22T16:17:43.729Z",
"dateUpdated": "2026-05-12T14:36:00.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4827 (GCVE-0-2026-4827)
Vulnerability from cvelistv5 – Published: 2026-05-12 12:24 – Updated: 2026-05-14 17:38
VLAI
Title
Insufficient Entropy vulnerability on Multiple Products
Summary
CWE‑331: Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit weaknesses in session‑management protections.
Severity
CWE
- CWE-331 - Insufficient entropy
Assigner
References
1 reference
Impacted products
14 products
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | Easergy MiCOM C264 |
Affected:
Versions D6.x
Affected: Versions D7.33 and prior |
|
| Schneider Electric | Easergy C5 |
Affected:
Version 1.1.17 and prior
|
|
| Schneider Electric | Easergy MiCOM P30 |
Affected:
P139 version prior to P139.678.700
Affected: P437 version prior to P437.678.700 Affected: P439 version prior to P439.678.700 Affected: P532 version prior to P532.678.700 Affected: P539 version prior to P539.678.700 Affected: P631 version prior to P631.678.700 Affected: P632 version prior to P632.678.700 Affected: P633 version prior to P633.678.700 Affected: P634 version prior to P634.678.700 Affected: P633 version P633.680.700 only Affected: P634 version P634.680.700 only Affected: P138 version prior to P138.677.700 Affected: P436 version prior to P436.677.701 Affected: P438 version prior to P438.677.701 Affected: P638 version prior to P638.677.700 Affected: C434 version prior to C434.679.700 |
|
| Schneider Electric | Easergy MiCOM P40 |
Affected:
Series model numbers with Protocol Option bit as G, H or L and all firmware versions
|
|
| Schneider Electric | EcoStruxure™ Power Automation System Gateway (EPAS-GTW) |
Affected:
Version 6.4.616.200.100 and prior
|
|
| Schneider Electric | EcoStruxure™ Power Automation System User Interface (EPAS-UI) |
Affected:
Version 3.0.3 and prior
|
|
| Schneider Electric | EcoStruxure™ Power Operation |
Affected:
Version 2022 CU6 and prior
Affected: Version 2024 CU2 and prior |
|
| Schneider Electric | iPMFLS |
Affected:
Version 64.2025.0.13 and prior
|
|
| Schneider Electric | PowerLogic™ P5 Protection Relay |
Affected:
V02.502.103 and prior
|
|
| Schneider Electric | PowerLogic™ P7 Protection and Control Platform |
Affected:
V02.002.002 and prior
|
|
| Schneider Electric | PowerLogic™ T300 |
Affected:
Version 2.9.4 and prior
|
|
| Schneider Electric | PowerLogic™ T500 |
Affected:
Version 11.08.02 and prior
|
|
| Schneider Electric | Saitel DP |
Affected:
Version 11.06.36 and prior
|
|
| Schneider Electric | EasyLogic T150 (formerly Saitel DR) |
Affected:
Version 11.06.30 and prior
|
Date Public
2026-05-12 16:49
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4827",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T12:39:02.210471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:39:31.579Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM C264",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions D6.x"
},
{
"status": "affected",
"version": "Versions D7.33 and prior"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Easergy C5",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 1.1.17 and prior"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM P30",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "P139 version prior to P139.678.700"
},
{
"status": "affected",
"version": "P437 version prior to P437.678.700"
},
{
"status": "affected",
"version": "P439 version prior to P439.678.700"
},
{
"status": "affected",
"version": "P532 version prior to P532.678.700"
},
{
"status": "affected",
"version": "P539 version prior to P539.678.700"
},
{
"status": "affected",
"version": "P631 version prior to P631.678.700"
},
{
"status": "affected",
"version": "P632 version prior to P632.678.700"
},
{
"status": "affected",
"version": "P633 version prior to P633.678.700"
},
{
"status": "affected",
"version": "P634 version prior to P634.678.700"
},
{
"status": "affected",
"version": "P633 version P633.680.700 only"
},
{
"status": "affected",
"version": "P634 version P634.680.700 only"
},
{
"status": "affected",
"version": "P138 version prior to P138.677.700"
},
{
"status": "affected",
"version": "P436 version prior to P436.677.701"
},
{
"status": "affected",
"version": "P438 version prior to P438.677.701"
},
{
"status": "affected",
"version": "P638 version prior to P638.677.700"
},
{
"status": "affected",
"version": "C434 version prior to C434.679.700"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM P40",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Series model numbers with Protocol Option bit as G, H or L and all firmware versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Automation System Gateway (EPAS-GTW)",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 6.4.616.200.100 and prior"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Automation System User Interface (EPAS-UI)",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 3.0.3 and prior"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Operation",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 2022 CU6 and prior"
},
{
"status": "affected",
"version": "Version 2024 CU2 and prior"
}
]
},
{
"defaultStatus": "unaffected",
"product": "iPMFLS",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 64.2025.0.13 and prior"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PowerLogic\u2122 P5 Protection Relay",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "V02.502.103 and prior"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PowerLogic\u2122 P7 Protection and Control Platform",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "V02.002.002 and prior"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PowerLogic\u2122 T300",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 2.9.4 and prior"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PowerLogic\u2122 T500",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 11.08.02 and prior"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Saitel DP",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 11.06.36 and prior"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EasyLogic T150 (formerly Saitel DR)",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 11.06.30 and prior"
}
]
}
],
"datePublic": "2026-05-12T16:49:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE\u2011331: Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit weaknesses in session\u2011management protections."
}
],
"value": "CWE\u2011331: Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit weaknesses in session\u2011management protections."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T17:38:38.647Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-132-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-132-02.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insufficient Entropy vulnerability on Multiple Products",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-4827",
"datePublished": "2026-05-12T12:24:22.928Z",
"dateReserved": "2026-03-25T14:07:29.111Z",
"dateUpdated": "2026-05-14T17:38:38.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2401 (GCVE-0-2026-2401)
Vulnerability from cvelistv5 – Published: 2026-04-14 15:24 – Updated: 2026-04-14 16:27
VLAI
Summary
CWE-532 Insertion of Sensitive Information into Log File vulnerability exists that could cause confidential information to be exposed when a Web Admin user executes a malicious file provided by an attacker.
Severity
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | PowerChute™ Serial Shutdown |
Affected:
Versions 1.4 and prior
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2401",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T16:23:13.716274Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:27:16.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerChute\u2122 Serial Shutdown",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions 1.4 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-532 Insertion of Sensitive Information into Log File vulnerability exists that could cause confidential information to be exposed when a Web Admin user executes a malicious file provided by an attacker."
}
],
"value": "CWE-532 Insertion of Sensitive Information into Log File vulnerability exists that could cause confidential information to be exposed when a Web Admin user executes a malicious file provided by an attacker."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 2.4,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:24:17.233Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-104-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-2401",
"datePublished": "2026-04-14T15:24:17.233Z",
"dateReserved": "2026-02-12T13:18:59.627Z",
"dateUpdated": "2026-04-14T16:27:16.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2400 (GCVE-0-2026-2400)
Vulnerability from cvelistv5 – Published: 2026-04-14 15:22 – Updated: 2026-04-14 16:27
VLAI
Summary
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | PowerChute™ Serial Shutdown |
Affected:
Versions 1.4 and prior
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2400",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T16:23:35.812067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:27:22.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerChute\u2122 Serial Shutdown",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions 1.4 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload."
}
],
"value": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:22:53.245Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-104-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-2400",
"datePublished": "2026-04-14T15:22:53.245Z",
"dateReserved": "2026-02-12T13:17:07.149Z",
"dateUpdated": "2026-04-14T16:27:22.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2403 (GCVE-0-2026-2403)
Vulnerability from cvelistv5 – Published: 2026-04-14 15:21 – Updated: 2026-04-14 16:27
VLAI
Summary
CWE-1284 Improper Validation of Specified Quantity in Input vulnerability exists that could cause Event and Data Log truncation impacting log integrity when a Web Admin user alters the POST /logsettings request payload.
Severity
CWE
- CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | PowerChute™ Serial Shutdown |
Affected:
Versions 1.4 and prior
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2403",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T16:23:47.895593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:27:27.629Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerChute\u2122 Serial Shutdown",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions 1.4 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-1284 Improper Validation of Specified Quantity in Input vulnerability exists that could cause Event and Data Log truncation impacting log integrity when a Web Admin user alters the POST /logsettings request payload."
}
],
"value": "CWE-1284 Improper Validation of Specified Quantity in Input vulnerability exists that could cause Event and Data Log truncation impacting log integrity when a Web Admin user alters the POST /logsettings request payload."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284 Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:21:10.802Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-104-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-2403",
"datePublished": "2026-04-14T15:21:10.802Z",
"dateReserved": "2026-02-12T13:19:02.490Z",
"dateUpdated": "2026-04-14T16:27:27.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2405 (GCVE-0-2026-2405)
Vulnerability from cvelistv5 – Published: 2026-04-14 15:19 – Updated: 2026-04-14 16:27
VLAI
Summary
CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /helpabout requests.
Severity
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | PowerChute™ Serial Shutdown |
Affected:
Versions 1.4 and prior
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2405",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T16:25:50.086988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:27:33.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerChute\u2122 Serial Shutdown",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions 1.4 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /helpabout requests."
}
],
"value": "CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /helpabout requests."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:19:40.765Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-104-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-2405",
"datePublished": "2026-04-14T15:19:40.765Z",
"dateReserved": "2026-02-12T13:19:05.750Z",
"dateUpdated": "2026-04-14T16:27:33.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2402 (GCVE-0-2026-2402)
Vulnerability from cvelistv5 – Published: 2026-04-14 15:16 – Updated: 2026-04-14 16:27
VLAI
Summary
CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on a sequence of requests to multiple endpoints.
Severity
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | PowerChute™ Serial Shutdown |
Affected:
Versions v1.4 and prior
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2402",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T16:26:07.842287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:27:38.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerChute\u2122 Serial Shutdown",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions v1.4 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on a sequence of requests to multiple endpoints."
}
],
"value": "CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on a sequence of requests to multiple endpoints."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:16:42.073Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-104-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-2402",
"datePublished": "2026-04-14T15:16:17.583Z",
"dateReserved": "2026-02-12T13:19:01.113Z",
"dateUpdated": "2026-04-14T16:27:38.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2404 (GCVE-0-2026-2404)
Vulnerability from cvelistv5 – Published: 2026-04-14 15:13 – Updated: 2026-04-14 16:27
VLAI
Summary
CWE-116 Improper Encoding or Escaping of Output vulnerability exists that could cause log injection and forged log when an attacker alters the POST /j_security check request payload.
Severity
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | PowerChute™ Serial Shutdown |
Affected:
Versions 1.4 and prior
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2404",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T16:26:32.467506Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:27:43.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerChute\u2122 Serial Shutdown",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions 1.4 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-116 Improper Encoding or Escaping of Output vulnerability exists that could cause log injection and forged log when an attacker alters the POST /j_security check request payload."
}
],
"value": "CWE-116 Improper Encoding or Escaping of Output vulnerability exists that could cause log injection and forged log when an attacker alters the POST /j_security check request payload."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:13:50.351Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-104-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-2404",
"datePublished": "2026-04-14T15:13:50.351Z",
"dateReserved": "2026-02-12T13:19:03.924Z",
"dateUpdated": "2026-04-14T16:27:43.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2399 (GCVE-0-2026-2399)
Vulnerability from cvelistv5 – Published: 2026-04-14 15:09 – Updated: 2026-04-14 15:52
VLAI
Summary
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause critical files overwritten with text data when a Web Admin user alters the POST /REST/upssleep request payload.
Severity
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | PowerChute™ Serial Shutdown |
Affected:
Versions 1.4 and prior
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2399",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:51:11.359624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:52:07.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerChute\u2122 Serial Shutdown",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions 1.4 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could cause critical files overwritten with text data when a Web Admin user alters the POST /REST/upssleep request payload."
}
],
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could cause critical files overwritten with text data when a Web Admin user alters the POST /REST/upssleep request payload."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:09:58.751Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-104-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-2399",
"datePublished": "2026-04-14T15:09:58.751Z",
"dateReserved": "2026-02-12T13:16:54.228Z",
"dateUpdated": "2026-04-14T15:52:07.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4832 (GCVE-0-2026-4832)
Vulnerability from cvelistv5 – Published: 2026-04-14 15:05 – Updated: 2026-04-14 18:16
VLAI
Summary
CWE-798 Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to sensitive device information when an unauthenticated attacker is able to interrogate the SNMP port.
Severity
CWE
- CWE-798 - Use of Hard-Coded Credentials
Assigner
References
1 reference
Impacted products
12 products
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | Easergy MiCOM P14x |
Affected:
All versions prior to B4A
|
|
| Schneider Electric | Easergy MiCOM P24x |
Affected:
All versions prior to D3A
|
|
| Schneider Electric | Easergy MiCOM P341 |
Affected:
All versions prior to E3F
|
|
| Schneider Electric | Easergy MiCOM P342, P343, P344, P345 |
Affected:
All versions prior to B3F
|
|
| Schneider Electric | Easergy MiCOM P442, P444 |
Affected:
All versions prior to E3A
|
|
| Schneider Electric | Easergy MiCOM P443, P445, P446, P543, P544, P545, P546 |
Affected:
All versions prior to H6A
|
|
| Schneider Electric | Easergy MiCOM P642, P645 |
Affected:
All versions prior to B4A
|
|
| Schneider Electric | Easergy MiCOM P643 |
Affected:
All versions prior to B3F
|
|
| Schneider Electric | Easergy MiCOM P741, P742, P743 |
Affected:
All versions prior to B2A
|
|
| Schneider Electric | Easergy MiCOM P746 |
Affected:
All versions prior to B4E or C4E
|
|
| Schneider Electric | Easergy MiCOM P841 |
Affected:
All versions prior to G6A
|
|
| Schneider Electric | Easergy MiCOM P849 |
Affected:
All versions prior to B4A
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4832",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T18:15:51.123382Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T18:16:06.726Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM P14x",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions prior to B4A"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM P24x",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions prior to D3A"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM P341",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions prior to E3F"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM P342, P343, P344, P345",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions prior to B3F"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM P442, P444",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions prior to E3A"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM P443, P445, P446, P543, P544, P545, P546",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions prior to H6A"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM P642, P645",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions prior to B4A"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM P643",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions prior to B3F"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM P741, P742, P743",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions prior to B2A"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM P746",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions prior to B4E or C4E"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM P841",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions prior to G6A"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Easergy MiCOM P849",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions prior to B4A"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-798 Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to sensitive device information when an unauthenticated attacker is able to interrogate the SNMP port."
}
],
"value": "CWE-798 Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to sensitive device information when an unauthenticated attacker is able to interrogate the SNMP port."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-Coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:17:08.719Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-104-03.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-4832",
"datePublished": "2026-04-14T15:05:00.845Z",
"dateReserved": "2026-03-25T14:13:10.490Z",
"dateUpdated": "2026-04-14T18:16:06.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2273 (GCVE-0-2026-2273)
Vulnerability from cvelistv5 – Published: 2026-03-10 17:18 – Updated: 2026-03-10 17:42
VLAI
Summary
CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exist that could cause execution of untrusted commands on the engineering workstation which could result in a limited compromise of the workstation and a potential loss of Confidentiality, Integrity and Availability of the subsequent system when an authenticated user opens a malicious project file.
Severity
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | EcoStruxure™ Automation Expert |
Affected:
Versions prior to v25.0.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2273",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T17:42:09.226674Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T17:42:47.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Automation Expert",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions prior to v25.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability exist that could cause execution of untrusted commands on the engineering workstation which could result in a limited compromise of the workstation and a potential loss of Confidentiality, Integrity and Availability of the subsequent system when an authenticated user opens a malicious project file."
}
],
"value": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability exist that could cause execution of untrusted commands on the engineering workstation which could result in a limited compromise of the workstation and a potential loss of Confidentiality, Integrity and Availability of the subsequent system when an authenticated user opens a malicious project file."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T17:18:39.374Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-069-04.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-2273",
"datePublished": "2026-03-10T17:18:39.374Z",
"dateReserved": "2026-02-10T09:45:08.807Z",
"dateUpdated": "2026-03-10T17:42:47.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1286 (GCVE-0-2026-1286)
Vulnerability from cvelistv5 – Published: 2026-03-10 17:09 – Updated: 2026-03-10 17:55
VLAI
Summary
CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when an admin authenticated user opens a malicious project file.
Severity
CWE
- CWE-502 - Deserialization of untrusted data
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | EcoStruxure™ Foxboro DCS |
Affected:
Versions prior to CS8.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1286",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T17:54:10.514863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T17:55:36.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Foxboro DCS",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions prior to CS8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when an admin authenticated user opens a malicious project file."
}
],
"value": "CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when an admin authenticated user opens a malicious project file."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of untrusted data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T17:09:18.120Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-069-03.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-1286",
"datePublished": "2026-03-10T17:09:18.120Z",
"dateReserved": "2026-01-21T13:15:37.247Z",
"dateUpdated": "2026-03-10T17:55:36.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13902 (GCVE-0-2025-13902)
Vulnerability from cvelistv5 – Published: 2026-03-10 17:06 – Updated: 2026-03-10 18:19
VLAI
Summary
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload.
Severity
CWE
- CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | Modicon Controllers M241/M251 |
Affected:
Versions prior to 5.4.13.12
|
|
| Schneider Electric | Modicon Controllers M258/LMC058 |
Affected:
All versions
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T18:17:03.131045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T18:19:19.395Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Modicon Controllers M241/M251",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions prior to 5.4.13.12"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Modicon Controllers M258/LMC058",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability exists that could cause condition where authenticated attackers can have a victim\u2019s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload."
}
],
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability exists that could cause condition where authenticated attackers can have a victim\u2019s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T17:11:39.985Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-069-02.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-13902",
"datePublished": "2026-03-10T17:06:00.208Z",
"dateReserved": "2025-12-02T16:20:41.599Z",
"dateUpdated": "2026-03-10T18:19:19.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13901 (GCVE-0-2025-13901)
Vulnerability from cvelistv5 – Published: 2026-03-10 17:02 – Updated: 2026-03-10 17:25
VLAI
Summary
CWE-404 Improper Resource Shutdown or Release vulnerability exists that could cause partial Denial of Service on Machine Expert protocol when an unauthenticated attacker sends malicious payload to occupy active communication channels.
Severity
CWE
- CWE-404 - Improper Resource Shutdown or Release
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | Modicon M241/M251 |
Affected:
Versions prior to 5.4.13.12
|
|
| Schneider Electric | Modicon M262 |
Affected:
Versions prior to 5.4.10.12
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13901",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T17:24:36.387715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T17:25:20.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Modicon M241/M251",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions prior to 5.4.13.12"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Modicon M262",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions prior to 5.4.10.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-404 Improper Resource Shutdown or Release vulnerability exists that could cause partial Denial of Service on Machine Expert protocol when an unauthenticated attacker sends malicious payload to occupy active communication channels."
}
],
"value": "CWE-404 Improper Resource Shutdown or Release vulnerability exists that could cause partial Denial of Service on Machine Expert protocol when an unauthenticated attacker sends malicious payload to occupy active communication channels."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Improper Resource Shutdown or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T17:12:53.896Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-069-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-13901",
"datePublished": "2026-03-10T17:02:22.998Z",
"dateReserved": "2025-12-02T16:20:27.551Z",
"dateUpdated": "2026-03-10T17:25:20.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11739 (GCVE-0-2025-11739)
Vulnerability from cvelistv5 – Published: 2026-03-10 12:25 – Updated: 2026-03-10 17:26
VLAI
Summary
CWE‑502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locally authenticated attacker sends a crafted data stream, triggering unsafe deserialization.
Severity
CWE
- CWE-502 - Deserialization of untrusted data
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | EcoStruxure™ Power Monitoring Expert (PME) |
Affected:
Version 2022
Affected: Version 2023 Affected: Version 2023 R2 Affected: Version 2024 Affected: Version 2024 R2 |
|
| Schneider Electric | EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module |
Affected:
Version 2022
Affected: Version 2024 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11739",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T13:33:55.316218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T13:34:01.324Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Monitoring Expert (PME)",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 2022"
},
{
"status": "affected",
"version": "Version 2023"
},
{
"status": "affected",
"version": "Version 2023 R2"
},
{
"status": "affected",
"version": "Version 2024"
},
{
"status": "affected",
"version": "Version 2024 R2"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Power Operation (EPO) Advanced Reporting and Dashboards Module",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Version 2022"
},
{
"status": "affected",
"version": "Version 2024"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE\u2011502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locally authenticated attacker sends a crafted data stream, triggering unsafe deserialization."
}
],
"value": "CWE\u2011502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locally authenticated attacker sends a crafted data stream, triggering unsafe deserialization."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of untrusted data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T17:26:25.203Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-06\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-069-06.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-11739",
"datePublished": "2026-03-10T12:25:14.501Z",
"dateReserved": "2025-10-14T13:43:50.195Z",
"dateUpdated": "2026-03-10T17:26:25.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13957 (GCVE-0-2025-13957)
Vulnerability from cvelistv5 – Published: 2026-03-10 12:19 – Updated: 2026-03-10 17:21
VLAI
Summary
CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL database credentials are known. SOCKS Proxy is disabled by default.
Severity
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | EcoStruxure™ IT Data Center Expert (Formerly known as StruxureWare Data Center Expert) |
Affected:
v9.0 and prior
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13957",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T13:42:04.681474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T13:42:15.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 IT Data Center Expert (Formerly known as StruxureWare Data Center Expert)",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "v9.0 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL database credentials are known. SOCKS Proxy is disabled by default."
}
],
"value": "CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL database credentials are known. SOCKS Proxy is disabled by default."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T17:21:41.222Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-05\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-069-05.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-13957",
"datePublished": "2026-03-10T12:19:04.041Z",
"dateReserved": "2025-12-03T14:05:40.047Z",
"dateUpdated": "2026-03-10T17:21:41.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1226 (GCVE-0-2026-1226)
Vulnerability from cvelistv5 – Published: 2026-02-11 13:49 – Updated: 2026-02-11 14:07
VLAI
Summary
CWE‑94: Improper Control of Generation of Code vulnerability exists that could cause execution of untrusted or unintended code within the application when maliciously crafted design content is processed through a TGML graphics file.
Severity
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | EcoStruxure Building Operation Workstation |
Affected:
All 7.0.x versions prior to 7.0.2
|
|
| Schneider Electric | EcoStruxure Building Operation Webstation |
Affected:
All 6.0.x versions prior to 6.0.4.7000 (CP5)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-11T14:07:20.670514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T14:07:27.708Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Building Operation Workstation",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All 7.0.x versions prior to 7.0.2"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Building Operation Webstation",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All 6.0.x versions prior to 6.0.4.7000 (CP5)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE\u201194: Improper Control of Generation of Code vulnerability exists that could cause execution of untrusted or unintended code within the application when maliciously crafted design content is processed through a TGML graphics file."
}
],
"value": "CWE\u201194: Improper Control of Generation of Code vulnerability exists that could cause execution of untrusted or unintended code within the application when maliciously crafted design content is processed through a TGML graphics file."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T13:49:45.465Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-041-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-041-02.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-1226",
"datePublished": "2026-02-11T13:49:45.465Z",
"dateReserved": "2026-01-20T12:38:21.548Z",
"dateUpdated": "2026-02-11T14:07:27.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1227 (GCVE-0-2026-1227)
Vulnerability from cvelistv5 – Published: 2026-02-11 13:45 – Updated: 2026-02-11 14:08
VLAI
Summary
CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized disclosure of local files, interaction within the EBO system, or denial of service conditions when a local user uploads a specially crafted TGML graphics file to the EBO server from Workstation.
Severity
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | EcoStruxure Building Operation Workstation |
Affected:
All 7.0.x versions prior to 7.0.3.2000 (CP1)
|
|
| Schneider Electric | EcoStruxure Building Operation Webstation |
Affected:
All 6.x versions prior to 6.0.4.14001 (CP10)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-11T14:08:12.326386Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T14:08:24.750Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Building Operation Workstation",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All 7.0.x versions prior to 7.0.3.2000 (CP1)"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Building Operation Webstation",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All 6.x versions prior to 6.0.4.14001 (CP10)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized disclosure of local files, interaction within the EBO system, or denial of service conditions when a local user uploads a specially crafted TGML graphics file to the EBO server from Workstation."
}
],
"value": "CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized disclosure of local files, interaction within the EBO system, or denial of service conditions when a local user uploads a specially crafted TGML graphics file to the EBO server from Workstation."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T13:45:51.675Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-041-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-041-02.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2026-1227",
"datePublished": "2026-02-11T13:45:51.675Z",
"dateReserved": "2026-01-20T12:38:23.080Z",
"dateUpdated": "2026-02-11T14:08:24.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13905 (GCVE-0-2025-13905)
Vulnerability from cvelistv5 – Published: 2026-01-29 15:20 – Updated: 2026-01-29 16:10
VLAI
Summary
CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executable service binaries are modified in the installation folder by a local user with normal privilege upon service restart.
Severity
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | EcoStruxure™ Process Expert |
Affected:
Versions prior to 2025
|
|
| Schneider Electric | EcoStruxure™ Process Expert for AVEVA System Platform |
Affected:
All versions
|
Date Public
2026-01-13 15:18
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13905",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T15:50:11.436614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T16:10:59.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Process Expert",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions prior to 2025"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure\u2122 Process Expert for AVEVA System Platform",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"datePublic": "2026-01-13T15:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executable service binaries are modified in the installation folder by a local user with normal privilege upon service restart."
}
],
"value": "CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executable service binaries are modified in the installation folder by a local user with normal privilege upon service restart."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T15:20:45.864Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-013-02.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-13905",
"datePublished": "2026-01-29T15:20:45.864Z",
"dateReserved": "2025-12-02T16:35:40.124Z",
"dateUpdated": "2026-01-29T16:10:59.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13845 (GCVE-0-2025-13845)
Vulnerability from cvelistv5 – Published: 2026-01-15 18:33 – Updated: 2026-01-15 18:54
VLAI
Summary
CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody.
Severity
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | EcoStruxure Power Build Rapsody |
Affected:
FR v2.8.1.0300 and prior
Affected: ESP v2.8.5.0200 and prior Affected: PT v2.8.7.0100 and prior Affected: BEL (FR) v2.8.8.0100 and prior Affected: BEL (EN) v2.8.3.0100 and prior Affected: INT (EN) v2.8.4.0300 and prior Affected: NL v2.8.2.0000 and prior |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T18:52:53.300481Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T18:54:16.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Power Build Rapsody",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "FR v2.8.1.0300 and prior"
},
{
"status": "affected",
"version": "ESP v2.8.5.0200 and prior"
},
{
"status": "affected",
"version": "PT v2.8.7.0100 and prior"
},
{
"status": "affected",
"version": "BEL (FR) v2.8.8.0100 and prior"
},
{
"status": "affected",
"version": "BEL (EN) v2.8.3.0100 and prior"
},
{
"status": "affected",
"version": "INT (EN) v2.8.4.0300 and prior"
},
{
"status": "affected",
"version": "NL v2.8.2.0000 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody."
}
],
"value": "CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T18:33:23.235Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-013-04.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-13845",
"datePublished": "2026-01-15T18:33:23.235Z",
"dateReserved": "2025-12-01T19:20:04.243Z",
"dateUpdated": "2026-01-15T18:54:16.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13844 (GCVE-0-2025-13844)
Vulnerability from cvelistv5 – Published: 2026-01-15 18:28 – Updated: 2026-01-15 18:55
VLAI
Summary
CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody.
Severity
CWE
- CWE-415 - Double Free
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | EcoStruxure Power Build Rapsody |
Affected:
FR v2.8.1 and prior
Affected: INT v2.8.6 and prior Affected: ES v2.8.5 and prior Affected: BEL (NL) v2.8.3 and prior Affected: BEL (FR) v2.8.8 and prior |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13844",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T18:55:20.238410Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T18:55:41.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Power Build Rapsody",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "FR v2.8.1 and prior"
},
{
"status": "affected",
"version": "INT v2.8.6 and prior"
},
{
"status": "affected",
"version": "ES v2.8.5 and prior"
},
{
"status": "affected",
"version": "BEL (NL) v2.8.3 and prior"
},
{
"status": "affected",
"version": "BEL (FR) v2.8.8 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody."
}
],
"value": "CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T18:28:37.316Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-013-04.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-13844",
"datePublished": "2026-01-15T18:28:37.316Z",
"dateReserved": "2025-12-01T19:13:56.544Z",
"dateUpdated": "2026-01-15T18:55:41.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11567 (GCVE-0-2025-11567)
Vulnerability from cvelistv5 – Published: 2025-11-12 13:27 – Updated: 2025-11-12 18:50
VLAI
Summary
CWE-276: Incorrect Default Permissions vulnerability exists that could cause elevated system access when the target installation folder is not properly secured.
Severity
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | PowerChute™ Serial Shutdown |
Affected:
Versions v1.3 and prior
(custom)
|
Date Public
2025-11-11 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11567",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:03:16.647582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:04:25.508Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerChute\u2122 Serial Shutdown",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions v1.3 and prior",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-11-11T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-276: Incorrect Default Permissions vulnerability exists that could cause elevated system access when the target installation folder is not properly secured.\u003cbr\u003e"
}
],
"value": "CWE-276: Incorrect Default Permissions vulnerability exists that could cause elevated system access when the target installation folder is not properly secured."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T18:50:03.699Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-315-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-315-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-11567",
"datePublished": "2025-11-12T13:27:56.004Z",
"dateReserved": "2025-10-09T15:17:30.858Z",
"dateUpdated": "2025-11-12T18:50:03.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11566 (GCVE-0-2025-11566)
Vulnerability from cvelistv5 – Published: 2025-11-12 13:26 – Updated: 2025-11-12 18:46
VLAI
Summary
CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on the /REST/shutdownnow endpoint.
Severity
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | PowerChute™ Serial Shutdown |
Affected:
Versions v1.3 and prior
(custom)
|
Date Public
2025-11-11 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11566",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:07:35.655696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:07:43.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerChute\u2122 Serial Shutdown",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions v1.3 and prior",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-11-11T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on the /REST/shutdownnow endpoint.\u003cbr\u003e"
}
],
"value": "CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on the /REST/shutdownnow endpoint."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T18:46:45.992Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-315-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-315-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-11566",
"datePublished": "2025-11-12T13:26:14.702Z",
"dateReserved": "2025-10-09T15:11:52.000Z",
"dateUpdated": "2025-11-12T18:46:45.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11565 (GCVE-0-2025-11565)
Vulnerability from cvelistv5 – Published: 2025-11-12 13:19 – Updated: 2025-11-12 18:45
VLAI
Summary
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause elevated system access when a Web Admin user on the local network tampers with the POST /REST/UpdateJRE request payload.
Severity
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | PowerChute™ Serial Shutdown |
Affected:
Versions v1.3 and prior
(custom)
|
Date Public
2025-11-11 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:09:55.180457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:10:03.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerChute\u2122 Serial Shutdown",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "Versions v1.3 and prior",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-11-11T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could cause elevated system access when a Web Admin user on the local network tampers with the POST /REST/UpdateJRE request payload."
}
],
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability exists that could cause elevated system access when a Web Admin user on the local network tampers with the POST /REST/UpdateJRE request payload."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T18:45:10.615Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-315-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-315-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-11565",
"datePublished": "2025-11-12T13:19:55.722Z",
"dateReserved": "2025-10-09T15:10:36.405Z",
"dateUpdated": "2025-11-12T18:45:10.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9997 (GCVE-0-2025-9997)
Vulnerability from cvelistv5 – Published: 2025-09-09 21:12 – Updated: 2025-09-10 19:34
VLAI
Summary
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause command injection in BLMon that is executed in the operating system console when in a SSH session.
Severity
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | Saitel DR RTU |
Affected:
all versions , ≤ 11.06.29
(version)
|
|
| Schneider Electric | Saitel DP RTU |
Affected:
all versions , ≤ 11.06.33
(version)
|
Date Public
2025-09-09 04:01
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9997",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T19:34:13.130524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T19:34:21.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Saitel DR RTU",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "11.06.29",
"status": "affected",
"version": "all versions",
"versionType": "version"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Saitel DP RTU",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "11.06.33",
"status": "affected",
"version": "all versions",
"versionType": "version"
}
]
}
],
"datePublic": "2025-09-09T04:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) vulnerability exists that could cause command injection in BLMon that is executed in the operating system console when in a SSH session."
}
],
"value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) vulnerability exists that could cause command injection in BLMon that is executed in the operating system console when in a SSH session."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T21:12:35.969Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-252-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-252-02.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-9997",
"datePublished": "2025-09-09T21:12:35.969Z",
"dateReserved": "2025-09-04T16:16:04.091Z",
"dateUpdated": "2025-09-10T19:34:21.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9996 (GCVE-0-2025-9996)
Vulnerability from cvelistv5 – Published: 2025-09-09 21:11 – Updated: 2025-09-10 20:26
VLAI
Summary
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause the execution of any shell command when executing a netstat command using BLMon Console in an SSH session.
Severity
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | Saitel DR RTU |
Affected:
all versions , ≤ 11.06.29
(version)
|
|
| Schneider Electric | Saitel DP RTU |
Affected:
all versions , ≤ 11.06.33
(version)
|
Date Public
2025-09-09 04:01
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9996",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T20:26:36.121564Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T20:26:45.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Saitel DR RTU",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "11.06.29",
"status": "affected",
"version": "all versions",
"versionType": "version"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Saitel DP RTU",
"vendor": "Schneider Electric",
"versions": [
{
"lessThanOrEqual": "11.06.33",
"status": "affected",
"version": "all versions",
"versionType": "version"
}
]
}
],
"datePublic": "2025-09-09T04:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) vulnerability exists that could cause the execution of any shell command when executing a netstat command using BLMon Console in an SSH session."
}
],
"value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) vulnerability exists that could cause the execution of any shell command when executing a netstat command using BLMon Console in an SSH session."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T21:11:15.034Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-252-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-252-02.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-9996",
"datePublished": "2025-09-09T21:11:15.034Z",
"dateReserved": "2025-09-04T16:16:03.592Z",
"dateUpdated": "2025-09-10T20:26:45.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7746 (GCVE-0-2025-7746)
Vulnerability from cvelistv5 – Published: 2025-09-09 21:02 – Updated: 2025-11-03 18:14
VLAI
Summary
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause an unvalidated data injected by a malicious user potentially leading to modify or read data in a victim’s browser.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | ATV630/650/660/680/6A0/6B0/6L0 Altivar Process Drives |
Affected:
all versions
|
|
| Schneider Electric | ATV930/950/955/960/980/9A0/9B0/9L0/991/992/993 Altivar Process Drives |
Affected:
all versions
|
|
| Schneider Electric | ILC992 InterLink Converter |
Affected:
all versions
|
|
| Schneider Electric | ATV340E Altivar Machine Drives |
Affected:
all versions
|
|
| Schneider Electric | ATV6000 Medium Voltage Altivar Process Drives |
Affected:
all versions
|
|
| Schneider Electric | ATS490 Altivar Soft Starter |
Affected:
all versions
|
|
| Schneider Electric | VW3A3720 & VW3A3721 Altivar Process Communication Modules |
Affected:
all versions
|
|
| Schneider Electric | VW3A3530D: ATVdPAC module |
Affected:
all versions , < v25.0
(version)
|
Date Public
2025-09-09 04:01
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T13:40:20.821038Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T16:10:34.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T18:14:06.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2025/Sep/69"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ATV630/650/660/680/6A0/6B0/6L0 Altivar Process Drives",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ATV930/950/955/960/980/9A0/9B0/9L0/991/992/993 Altivar Process Drives",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ILC992 InterLink Converter",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ATV340E Altivar Machine Drives",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ATV6000 Medium Voltage Altivar Process Drives",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ATS490 Altivar Soft Starter",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "VW3A3720 \u0026 VW3A3721 Altivar Process Communication Modules",
"vendor": "Schneider Electric",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "VW3A3530D: ATVdPAC module",
"vendor": "Schneider Electric",
"versions": [
{
"lessThan": "v25.0",
"status": "affected",
"version": "all versions",
"versionType": "version"
}
]
}
],
"datePublic": "2025-09-09T04:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability exists that could cause an unvalidated data injected by a malicious user potentially leading to modify or read data in a victim\u2019s browser."
}
],
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability exists that could cause an unvalidated data injected by a malicious user potentially leading to modify or read data in a victim\u2019s browser."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T21:02:08.936Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-252-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-252-01.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-7746",
"datePublished": "2025-09-09T21:02:08.936Z",
"dateReserved": "2025-07-17T09:10:51.541Z",
"dateUpdated": "2025-11-03T18:14:06.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8448 (GCVE-0-2025-8448)
Vulnerability from cvelistv5 – Published: 2025-08-20 13:58 – Updated: 2025-09-09 20:55
VLAI
Summary
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause unauthorized access to sensitive credential data when an attacker is able to capture local SMB traffic between a valid user within the BMS network and the vulnerable products.
Severity
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Eelctric | EcoStruxure Building Operation Enterprise Server |
Affected:
All 7.x versions , < 7.0.2.348
(version)
Affected: All 6.x versions , < 6.0.4.10001 (CP8) (version) Affected: All 5.x versions , < 5.0.3.17009 (CP16) (version) |
|
| Schneider Electric | EcoStruxure Enterprise Server |
Affected:
All 7.x versions , < 7.0.2.348
(version)
Affected: All 6.x versions , < 6.0.4.10001 (CP8) (version) Affected: All 5.x versions , < 5.0.3.17009 (CP16) (version) |
|
| Schneider Eelctric | EcoStruxure Building Operation Workstation |
Affected:
All 7.x versions , < 7.0.2.348
(version)
Affected: All 6.x versions , < 6.0.4.10001 (CP8) (version) Affected: All 5.x versions , < 5.0.3.17009 (CP16) (version) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T15:51:48.499459Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:51:53.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Building Operation Enterprise Server",
"vendor": "Schneider Eelctric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "affected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "affected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Enterprise Server",
"vendor": "Schneider Electric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "affected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "affected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Building Operation Workstation",
"vendor": "Schneider Eelctric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "affected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "affected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause unauthorized access to sensitive credential data when an attacker is able to capture local SMB traffic between a valid user within the BMS network and the vulnerable products."
}
],
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause unauthorized access to sensitive credential data when an attacker is able to capture local SMB traffic between a valid user within the BMS network and the vulnerable products."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 1,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T20:55:43.384Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-04.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-8448",
"datePublished": "2025-08-20T13:58:53.818Z",
"dateReserved": "2025-07-31T21:02:43.599Z",
"dateUpdated": "2025-09-09T20:55:43.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}