Schneider Electric EcoStruxure Power Operation (Update A)

Act NowCVSS 8.8ICS-CERT ICSA-25-203-04Jul 8, 2025

Schneider ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

EcoStruxure Power Operation 2022 CU6 and earlier, and 2024 CU1 and earlier, contain vulnerabilities in an embedded PostgreSQL database component (versions prior to 14.17) that allow remote code execution and unauthorized access. The vulnerabilities are exploitable without authentication and with low attack complexity. Affected versions include buffer overflows (CWE-787), code injection (CWE-95), and denial of service conditions (CWE-400, CWE-409). The embedded PostgreSQL is used for waveform analysis and ETAP simulation features. Successful exploitation could result in loss of system functionality or unauthorized access to system functions. The vendor has released a patch; however, older 2022 product lines (prior to CU7) do not have a patched version and require workarounds.

What this means

What could happen

Attackers could exploit PostgreSQL vulnerabilities embedded in EcoStruxure Power Operation to execute arbitrary code or gain unauthorized access, potentially disrupting power operations or altering energy management functions. This is actively being exploited in the wild.

Who's at risk

Energy utilities and power distribution operators who manage grid operations or substation monitoring using EcoStruxure Power Operation 2022 or 2024 systems. Any organization relying on EPO for waveform analysis, ETAP simulation, or centralized power operation management should treat this as critical. The vulnerability could affect control and monitoring of power distribution equipment.

How it could be exploited

An attacker with network access to the PostgreSQL database port (typically 5432) can send specially crafted requests that exploit buffer overflow, injection, or denial-of-service vulnerabilities in the embedded PostgreSQL version. If the EPO system accepts remote database connections, the attacker gains direct access to the database without needing credentials.

Prerequisites

Network access to the EcoStruxure Power Operation system's PostgreSQL port (5432 or configured alternate port)
EPO system configured to accept database connections from the attacker's network (default or misconfigured exposure)
Running affected EPO version (2022 CU6 or earlier, or 2024 CU1 or earlier)

actively exploited (KEV)remotely exploitableno authentication requiredlow complexityhigh EPSS score (94.4%)affects critical infrastructure control systems

Exploitability

Actively exploited — confirmed by CISA KEV

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (4)

2 with fix2 pending

ProductAffected VersionsFix Status

EcoStruxure™ Power Operation (EPO) 2022 CU6 and prior≤ 2022 CU62024 CU2

EcoStruxure™ Power Operation (EPO) 2024 CU1 and prior≤ 2024 CU12024 CU2

EcoStruxure Power Operation (EPO) 2022: <=CU6≤ CU6No fix yet

EcoStruxure Power Operation (EPO) 2024: <=CU1≤ CU1No fix yet

Remediation & Mitigation

0/6

Do now

0/5

EcoStruxure™ Power Operation (EPO) 2022 CU6 and prior

HARDENINGRestrict network access to the EPO PostgreSQL port (5432 or configured alternate) from untrusted networks using a firewall

All products

HOTFIXUpdate EcoStruxure Power Operation to version 2024 CU2 or later

WORKAROUNDIf unable to patch immediately and waveform analysis or ETAP simulation features are not in use, uninstall PostgreSQL from the EcoStruxure Power Operation system

HOTFIXIf you use waveform analysis or ETAP simulation features, manually upgrade PostgreSQL from version 14.10 to version 14.17 or higher

HARDENINGConfigure PostgreSQL on EcoStruxure Power Operation systems to accept database connections only from localhost (127.0.0.1)

Long-term hardening

0/1

HARDENINGIsolate the EcoStruxure Power Operation network from the business IT network using firewalls and network segmentation

CVEs (6)

CVE-2023-44487 CVE-2023-50447 CVE-2024-28219 CVE-2022-45198 CVE-2023-5217 CVE-2023-35945

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a740c7c0-0357-47d6-9cff-7261fc870f2d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.