Schneider Electric EcoStruxure
Monitor4.3ICS-CERT ICSA-25-203-03Jul 8, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Schneider Electric EcoStruxure Power Monitoring Expert (PME) and Power Operation (EPO) products contain a vulnerability (CWE-668) that allows authenticated users to view data intended for other users on the same system. PME is an on-premises power monitoring software for critical and energy-intensive facilities; EPO is used to monitor and control medium and lower voltage power systems. Without remediation, sensitive operational data could be exposed to other authenticated users on the affected system.
What this means
What could happen
An authenticated user with access to the PME or EPO system could view sensitive power monitoring and operational data intended for other users, potentially exposing facility configuration, load profiles, or other operational intelligence that could be used for further attacks or disruption planning.
Who's at risk
Energy sector operators managing critical power facilities and energy-intensive operations, specifically those using Schneider Electric EcoStruxure Power Monitoring Expert (PME) or Power Operation (EPO) software for power system monitoring and control. Both on-premises deployments and managed service model instances are affected.
How it could be exploited
An attacker with valid credentials to the EcoStruxure PME or EPO system can access data views or reports that should be restricted to other users, bypassing data segregation controls. This requires an existing authenticated account on the system; the attacker does not need to compromise the application itself, only use legitimately-held credentials to access unauthorized data.
Prerequisites
- Valid user credentials for EcoStruxure PME or EPO system
- Network access to the affected on-premises software instance
- Authentication already established or ability to authenticate to the system
Requires authenticationLow attack complexityData exposure affects operational knowledgeEPO 2024 version has no patch available
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (3)
2 with fix1 pending
ProductAffected VersionsFix Status
EcoStruxure™ Power Monitoring Expert (PME)2023; 2023 R2; 2024; 2024 R22023_Hotfix_199767
EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module2022Hotfix_199767
EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module2024No fix yet
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
EcoStruxure™ Power Monitoring Expert (PME)
HOTFIXApply Hotfix_199767 for EcoStruxure Power Monitoring Expert (PME) versions 2023, 2023_R2, 2024, or 2024_R2
EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module
HOTFIXApply Hotfix_199767 for EcoStruxure Power Operation (EPO) Advanced Reporting and Dashboards Module version 2022
Long-term hardening
0/2EcoStruxure™ Power Monitoring Expert (PME)
HARDENINGReview data access permissions and user roles in PME/EPO to implement principle of least privilege—ensure each user account has only the data views and reports necessary for their job function
HARDENINGAudit access logs in PME/EPO to identify if any unauthorized data viewing has occurred, and review which users accessed sensitive power system data
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/80f5d6e6-09dd-46e3-a16b-cec71740d9a9