Schneider Electric Galaxy VS, Galaxy VL, Galaxy VXL (Update A)
Act NowCVSS 10ICS-CERT ICSA-25-140-07May 13, 2025
Schneider ElectricEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in the Erlang/OTP SSH Server component embedded in Schneider Electric Galaxy VS, Galaxy VL, and Galaxy VXL UPS network management cards allows unauthenticated remote code execution. The Galaxy VS, VL, and VXL are 3-phase UPS systems used in data centers and business-critical applications. Successful exploitation could compromise UPS monitoring capabilities and disrupt UPS operation.
What this means
What could happen
An unauthenticated attacker with network access to the UPS management port could run arbitrary commands on the device, compromising monitoring capabilities and potentially disrupting UPS operation or causing shutdown.
Who's at risk
This affects data center and business-critical facility operators who rely on Schneider Electric Galaxy VS, VL, or VXL uninterruptible power supplies (UPS) for power protection. Any facility using these UPS models with network management capabilities is at risk if the devices are reachable from untrusted networks.
How it could be exploited
An attacker with network connectivity to port 22/TCP (SSH) on the Galaxy VS, VL, or VXL UPS network management card can send a specially crafted SSH packet to bypass authentication and execute arbitrary commands without credentials.
Prerequisites
- Network access to port 22/TCP on the UPS network management interface
- UPS must be exposed to untrusted networks or internet-facing
remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (54%)affects critical infrastructure power systems
Exploitability
Actively exploited — confirmed by CISA KEV
Metasploit module available — weaponized exploitView module ↗
Public Proof-of-Concept (PoC) on GitHub (10 repositories)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
Galaxy VS≤ 6.118.06.123.0
Galaxy VL≤ 18.5.018.10.0
Galaxy VXL≤ 15.21.015.29.0
Remediation & Mitigation
0/7
Do now
0/7Galaxy VS
HOTFIXUpdate Galaxy VS to version 6.123.0 or later
Galaxy VL
HOTFIXUpdate Galaxy VL to version 18.10.0 or later
Galaxy VXL
HOTFIXUpdate Galaxy VXL to version 15.29.0 or later
All products
WORKAROUNDDisable SSH/SFTP/SCP on the NMC4 network management card: Log into the NMC4 web interface, navigate to Configuration → Network → Console → Access, uncheck 'Enable SSH/SFTP/SCP', and click Apply
HARDENINGImplement firewall rules to block all inbound traffic to port 22/TCP on the UPS network management interface from untrusted networks
HARDENINGIsolate UPS management networks from the business network and restrict access to authorized personnel only
HARDENINGEnsure UPS devices are not directly accessible from the internet; use secure remote access methods like VPN if management from external networks is required
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d1aad62a-fb56-4cd8-a3cf-ad7777b2c5faGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.