Schneider Electric EcoStruxure Power Monitoring Expert (PME) (Update B)
Plan Patch7.1ICS-CERT ICSA-25-037-01Oct 8, 2024
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary
EcoStruxure Power Monitoring Expert (PME) is vulnerable to unsafe deserialization of untrusted data, which could result in remote code execution. The vulnerability affects PME Version 2022 and all earlier versions. An attacker with valid engineering or administrative credentials can send a specially crafted request to trigger deserialization of malicious serialized objects, executing arbitrary code on the PME server. This affects power monitoring and energy management systems used in critical facilities.
What this means
What could happen
An attacker with valid credentials could inject malicious serialized data into EcoStruxure PME, leading to remote code execution on the monitoring server and potential unauthorized control over power monitoring and management functions in your facility.
Who's at risk
This vulnerability affects utilities and large facilities that deploy EcoStruxure Power Monitoring Expert for real-time monitoring and management of electrical power systems. Energy sector operators running PME Version 2022 or earlier on critical power monitoring infrastructure should prioritize remediation.
How it could be exploited
An attacker with valid engineering or administrative credentials sends a specially crafted request containing untrusted serialized data to EcoStruxure PME. The application deserializes this data without proper validation, executing arbitrary code on the server with the privileges of the PME application.
Prerequisites
- Valid engineering or administrative credentials for EcoStruxure PME
- Network access to the EcoStruxure PME application interface
- User interaction to trigger deserialization (UI component interaction or data submission)
- Knowledge of PME serialization format or exploitation framework
Remotely exploitableRequires valid credentialsHigh attack complexityAffects power monitoring and energy management systemsVersion 2021 and earlier are end-of-life with no patch plannedDeserialization of untrusted data
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
EcoStruxure™ Power Monitoring Expert (PME)2022Hotfix_75031_PME2022
EcoStruxure Power Monitoring Expert (PME)≤ 2021Hotfix_75031_PME2022
Remediation & Mitigation
0/7
Do now
0/2EcoStruxure™ Power Monitoring Expert (PME)
WORKAROUNDRestrict network access to EcoStruxure PME application interface to authorized engineering and administrative personnel only, using firewall rules or network segmentation
HARDENINGEnforce strong, unique passwords for all EcoStruxure PME engineering and administrative accounts; disable default credentials if any exist
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
EcoStruxure™ Power Monitoring Expert (PME)
HOTFIXApply Hotfix_75031_PME2022 to EcoStruxure Power Monitoring Expert (PME) Version 2022
HOTFIXFor PME Version 2021 and earlier (end-of-life), upgrade to EcoStruxure Power Monitoring Expert (PME) Version 2022 or later and apply Hotfix_75031_PME2022
Long-term hardening
0/3EcoStruxure™ Power Monitoring Expert (PME)
HARDENINGImplement multi-factor authentication (MFA) for EcoStruxure PME administrative and engineering access if supported
HARDENINGSegment the EcoStruxure PME application and database server from general corporate networks and untrusted systems
HARDENINGMonitor EcoStruxure PME logs and application behavior for suspicious authentication attempts or unusual serialized data requests
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c2a2eb45-f1bd-4cc5-9c46-2d17ae129c49