Schneider Electric EcoStruxure Power Automation System
Act Now9.8ICS-CERT ICSA-25-077-03Mar 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability exists in the WebHMI component used in Schneider Electric's EcoStruxure Power Automation System User Interface (EPAS UI, formerly EcoSUI) and EcoStruxure Microgrid Operation Large (EMO-L) solution. EcoStruxure Power Automation System is a local SCADA/HMI platform based on IEC 61850 that allows operators to supervise, monitor, and control large electrical networks. EMO-L is a power management system for critical Microgrid applications that can use WebHMI as its HMI option. The vulnerability in WebHMI allows unauthorized access to the underlying software application. Affected versions are EPAS User Interface ≤4.1.0.0 and EMO-L ≤4.1.0.0.
What this means
What could happen
An attacker with network access to the WebHMI component could gain unauthorized access to the underlying SCADA/HMI application, potentially allowing them to monitor and alter control of electrical networks or microgrid distributed energy resources.
Who's at risk
Operators of large electrical networks and critical microgrids using Schneider Electric EcoStruxure Power Automation System (formerly EcoSUI) or EcoStruxure Microgrid Operation Large (EMO-L) should assess their exposure. This affects energy sector utilities, power generation facilities, and distributed energy resource systems that rely on this SCADA/HMI platform for network supervision and control.
How it could be exploited
An attacker on the network sends a request to the WebHMI component in EPAS User Interface or EMO-L. The WebHMI fails to properly authenticate or authorize access, allowing the attacker to access the application without valid credentials and interact with the HMI interface to view or modify system state.
Prerequisites
- Network access to the WebHMI component port/interface
- WebHMI running vulnerable version (EPAS UI ≤4.1.0.0 or EMO-L ≤4.1.0.0)
- WebHMI exposed to accessible network segment (not restricted by firewall)
Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS 9.8No patch available yetAffects safety-critical electrical network controlHigh impact (confidentiality, integrity, availability)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (2)
2 pending
ProductAffected VersionsFix Status
EPAS User Interface≤ 4.1.0.0No fix yet
EcoStruxure Microgrid Operation Large (EMO-L)≤ 4.1.0.0No fix yet
Remediation & Mitigation
0/6
Do now
0/1WORKAROUNDEnsure WebHMI is not exposed to the Internet; restrict network access using firewalls to authorized networks only
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXApply hotfix WebHMI_Fix_users_for_Standard.V1 from Schneider Electric Customer Care Center
Long-term hardening
0/4HARDENINGIsolate control and safety system networks from the business network using firewalls
HARDENINGRestrict remote access to WebHMI; use VPNs with strong authentication when remote access is required
HARDENINGImplement all hardening guidelines provided by Schneider Electric for WebHMI
HARDENINGApply physical access controls to ensure unauthorized personnel cannot access the SCADA/HMI infrastructure
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3707d62a-df90-42b2-b514-498840d7e384