OTPulse

Schneider Electric EcoStruxure

MonitorCVSS 4.3ICS-CERT ICSA-25-203-03Jul 8, 2025
Schneider ElectricEnergy
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Schneider Electric EcoStruxure Power Monitoring Expert (PME) and EcoStruxure Power Operation (EPO) Advanced Reporting and Dashboards Module contain an improper access control vulnerability that allows authenticated users to view sensitive data belonging to other authenticated users on the same system. This could expose unintended information about power system operations, monitoring, and configuration. The vulnerability affects PME versions 2023, 2023_R2, 2024, and 2024_R2, and EPO Advanced Reporting versions 2022 and 2024.

What this means
What could happen
An authenticated user with access to EcoStruxure Power Monitoring Expert or Power Operation software could view sensitive data belonging to other users on the same system, potentially exposing power system operational details, configuration, or monitoring information.
Who's at risk
Energy utilities and facilities management teams running Schneider Electric EcoStruxure Power Monitoring Expert or Power Operation software on-premises or via managed services. This affects anyone who monitors or controls electrical distribution systems using these products.
How it could be exploited
An attacker with valid user credentials and access to the EcoStruxure Power Monitoring Expert or Power Operation interface could exploit improper access controls to retrieve data from other authenticated users' accounts or sessions on the same system.
Prerequisites
  • Valid user account credentials for EcoStruxure Power Monitoring Expert or Power Operation system
  • Network access to the EcoStruxure application interface
  • Access to a supported version with the vulnerability (PME 2023, 2023_R2, 2024, 2024_R2; EPO Advanced Reporting 2022 or 2024)
authenticated attacker requiredimproper access control to user datamulti-user system exposureno fix available for EPO 2024
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (3)
2 with fix1 pending
ProductAffected VersionsFix Status
EcoStruxure™ Power Monitoring Expert (PME)20232023 R220242024 R22023_Hotfix_199767
EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module2022Hotfix_199767
EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module2024No fix yet
Remediation & Mitigation
0/5
Do now
0/2
EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module
WORKAROUNDContact Schneider Electric Customer Care Center for hotfix availability and deployment guidance for EPO Advanced Reporting and Dashboards Module version 2024 (no vendor fix currently available)
All products
HARDENINGRestrict network access to EcoStruxure Power Monitoring Expert and Power Operation systems to authorized engineering and operations staff only
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

EcoStruxure™ Power Monitoring Expert (PME)
HOTFIXApply Hotfix_199767 to EcoStruxure Power Monitoring Expert (PME) versions 2023, 2023_R2, 2024, or 2024_R2
EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module
HOTFIXApply Hotfix_199767 to EcoStruxure Power Operation (EPO) Advanced Reporting and Dashboards Module version 2022
All products
HARDENINGReview user access levels and remove unnecessary multi-user access to EcoStruxure systems to limit exposure of other users' data
View full CISA ICS-CERT advisory
API: /api/v1/advisories/80f5d6e6-09dd-46e3-a16b-cec71740d9a9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Schneider Electric EcoStruxure | CVSS 4.3 - OTPulse