Schneider Electric EcoStruxure Power Automation System User Interface (EPAS-UI)
MonitorCVSS 6.8ICS-CERT ICSA-25-077-01Mar 11, 2025
Schneider ElectricEnergyManufacturing
Attack path
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Schneider Electric EcoStruxure Power Automation System User Interface (EPAS-UI) versions 2.1 through 2.9 allows authentication bypass and potential access to sensitive information or arbitrary code execution on systems where the application is installed. The vulnerability is not remotely exploitable and requires physical or local access to the affected device.
What this means
What could happen
An attacker with local access to a machine running EPAS-UI could bypass authentication and gain administrative-level control over the power automation system, potentially allowing them to view sensitive configuration data or modify automation logic that controls power distribution.
Who's at risk
Energy sector utilities and manufacturing facilities running Schneider Electric EcoStruxure Power Automation System User Interface (EPAS-UI) should prioritize this fix. Affected systems are typically deployed in power automation control centers, substations, and manufacturing control rooms where access to automation logic and configuration could impact power distribution or production processes.
How it could be exploited
An attacker with physical or local access to the machine hosting EPAS-UI can exploit the authentication bypass vulnerability. No remote access is required. The attacker gains the ability to access the application and perform operations that would normally require authentication, such as viewing system configuration or altering automation settings.
Prerequisites
- Local or physical access to the machine running EPAS-UI
- Versions 2.1 through 2.9 of EPAS-UI must be installed
Requires local/physical access (not remotely exploitable)Authentication bypass leading to high-integrity impactAffects power distribution and automation controlLow EPSS score (0.1%) but not yet patched by all users
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
EcoStruxure™ Power Automation System User Interface (EPAS-UI) Secured≥ 2.1 | ≤ 2.92.10
EcoStruxure Power Automation System User Interface (EPAS-UI): >=v2.1|<=v2.9≥ v2.1|≤ v2.92.10
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDAs an immediate workaround, rename the file C:\MCIS\Bin\MCIS.chm to C:\MCIS\Bin\MCIS.old and restart the machine (requires admin login)
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
EcoStruxure™ Power Automation System User Interface (EPAS-UI) Secured
HOTFIXUpdate EPAS-UI to version 2.10 or later
Long-term hardening
0/2EcoStruxure™ Power Automation System User Interface (EPAS-UI) Secured
HARDENINGRestrict physical access to machines running EPAS-UI; place controllers in locked cabinets and restrict console access to authorized personnel only
HARDENINGIsolate EPAS-UI and associated control system networks from the business network using firewalls and network segmentation
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b4be2b4f-248f-43cc-9d49-0876dad21614Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.