Schneider Electric EcoStruxure Power Monitoring Expert (PME) (Update B)

Plan PatchCVSS 7.1ICS-CERT ICSA-25-037-01Oct 8, 2024

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

Schneider Electric EcoStruxure Power Monitoring Expert (PME) is vulnerable to unsafe deserialization of untrusted data (CWE-502), which could lead to Remote Code Execution. The vulnerability occurs when PME processes uploaded serialized files without proper validation. Affected versions include PME 2022 and all prior versions (2021 and earlier). PME 2022 versions can be patched via Hotfix_75031_PME2022. PME 2021 and earlier versions have reached end-of-life support; Schneider Electric recommends upgrading to the latest PME version to resolve this issue.

What this means

What could happen

An attacker with legitimate user credentials could upload a malicious serialized file to PME, causing the application to deserialize untrusted data and execute arbitrary commands on the monitoring server. This could allow an attacker to compromise the power monitoring system and potentially interfere with energy facility operations.

Who's at risk

Power utility operators and energy-intensive facility managers using EcoStruxure Power Monitoring Expert (PME) for real-time monitoring and analytics of electrical infrastructure. This affects both legacy PME 2021 and earlier deployments as well as current PME 2022 installations.

How it could be exploited

An attacker with valid PME user credentials uploads a crafted serialized object file through the PME application interface. PME automatically deserializes the file without validation, triggering Remote Code Execution with the privileges of the PME application service account. The attacker gains command execution on the server hosting PME.

Prerequisites

Valid EcoStruxure Power Monitoring Expert (PME) user account credentials
Network access to the PME application interface (HTTP/HTTPS)
Ability to upload files to PME
High attack complexity requirement—attacker must craft a specific serialized payload

Remotely exploitable via application interfaceRequires valid user credentials (not no-auth)High attack complexityAffects critical power monitoring infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

EcoStruxure™ Power Monitoring Expert (PME)2022Hotfix_75031_PME2022

EcoStruxure Power Monitoring Expert (PME)≤ 2021Hotfix_75031_PME2022

Remediation & Mitigation

0/5

Do now

0/1

EcoStruxure™ Power Monitoring Expert (PME)

WORKAROUNDRestrict network access to the PME application to authorized personnel only using firewall rules or network segmentation

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

EcoStruxure™ Power Monitoring Expert (PME)

HOTFIXUpdate EcoStruxure Power Monitoring Expert (PME) 2022 to Hotfix_75031_PME2022

HOTFIXFor PME 2021 and earlier (end-of-life versions), upgrade to the latest PME version to receive the fix

Long-term hardening

0/2

EcoStruxure™ Power Monitoring Expert (PME)

HARDENINGEnforce strong password policies and multi-factor authentication for all PME user accounts

HARDENINGReview and limit PME user accounts to only those with a legitimate operational need

CVEs (1)

CVE-2024-9005

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c2a2eb45-f1bd-4cc5-9c46-2d17ae129c49

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.