Schneider Electric EcoStruxure Power Operation (Update A)
Act Now8.8ICS-CERT ICSA-25-203-04Jul 22, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
EcoStruxure Power Operation contains multiple vulnerabilities (CWE-95, CWE-680, CWE-409, CWE-787, CWE-400) in its embedded PostgreSQL database that allow remote code execution or unauthorized access to system functions. The vulnerability affects EPO 2022 versions up to CU6 and EPO 2024 versions up to CU1. Exploitation could result in loss of system functionality, unauthorized modification of power analysis and operation data, or disruption of power monitoring capabilities.
What this means
What could happen
An attacker could exploit PostgreSQL vulnerabilities in EcoStruxure Power Operation to execute arbitrary code or access sensitive system functions, potentially allowing them to manipulate power operation and analysis data or disrupt monitoring and control capabilities.
Who's at risk
Electric utilities and power distribution operators using Schneider Electric EcoStruxure Power Operation (EPO) for power system monitoring, analysis, and control should prioritize remediation. This includes organizations that rely on EPO 2022 (any version through CU6) or EPO 2024 (version CU1 and earlier) for waveform analysis, ETAP simulation, or operational reporting.
How it could be exploited
An attacker with network access to the EPO system can send a malicious request that exploits a vulnerability in the embedded PostgreSQL database (versions 14.10 and earlier). If the attacker can interact with the database interface or bypass authentication, they could execute code or modify system behavior. No special credentials are required to trigger the vulnerability.
Prerequisites
- Network access to the EcoStruxure Power Operation system on the network
- The vulnerable PostgreSQL database must be exposed or accessible (not restricted to localhost)
- If waveform analysis or ETAP simulation features are disabled, the attack surface may be reduced but vulnerability remains in the installed software
Actively exploited (KEV status)Remotely exploitableNo authentication requiredLow complexityHigh CVSS score (8.8)Very high EPSS score (94.5%)No fix currently available for EPO 2024Affects power system operations
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (2)
2 pending
ProductAffected VersionsFix Status
EcoStruxure Power Operation (EPO) 2022: <=CU6≤ CU6No fix yet
EcoStruxure Power Operation (EPO) 2024: <=CU1≤ CU1No fix yet
Remediation & Mitigation
0/8
Do now
0/5EcoStruxure Power Operation (EPO) 2022: <=CU6
HOTFIXFor EPO 2024 users, verify availability of CU2 or later through Schneider Electric support, as no current fix is documented
WORKAROUNDIf waveform analysis and ETAP simulation features are not required, uninstall PostgreSQL completely from the EPO system
All products
HOTFIXApply EcoStruxure Power Operation 2022 CU7 or later, which includes updated PostgreSQL
WORKAROUNDConfigure PostgreSQL to accept connections only from localhost (127.0.0.1) to prevent remote exploitation
WORKAROUNDIf unable to patch immediately, manually uninstall PostgreSQL 14.10 and upgrade to PostgreSQL 14.17 or higher
Long-term hardening
0/3EcoStruxure Power Operation (EPO) 2022: <=CU6
HARDENINGRestrict network access to EPO systems; ensure they are not directly reachable from the Internet
HARDENINGIf remote access to EPO is required, use a VPN with secure authentication and keep VPN software updated
All products
HARDENINGIsolate EcoStruxure Power Operation systems behind firewalls and segment them from business networks
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a740c7c0-0357-47d6-9cff-7261fc870f2d