OTPulse

Schneider Electric EcoStruxure Power Monitoring Expert

Plan PatchCVSS 8.8ICS-CERT ICSA-25-224-03Aug 12, 2025
Schneider ElectricEnergy
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Schneider Electric has released advisories for multiple vulnerabilities in EcoStruxure Power Monitoring Expert (PME), Power Operation (EPO), and Power SCADA Operation (PSO) software. The vulnerabilities include unsafe deserialization of untrusted data (CWE-502), server-side request forgery (CWE-918), and path traversal (CWE-22). These flaws could allow an authenticated attacker to execute arbitrary code, access sensitive operational data, or bypass authorization controls. The vulnerabilities affect PME versions 2022, 2023, 2023_R2, 2024, and 2024_R2. Hotfix_279338_Release_2024R2 addresses the flaws in PME 2024 R2; older versions require different patches. Some deployments run PME in a Managed Service model, which may increase exposure if not properly isolated.

What this means
What could happen
An attacker with valid credentials could run arbitrary commands on the power monitoring system, potentially altering energy consumption data, disrupting facility monitoring, or accessing sensitive operational information about your facility's power systems.
Who's at risk
Operators of power monitoring and control systems in energy facilities, including utilities, industrial plants, and critical infrastructure with EcoStruxure Power Monitoring Expert (PME), Power Operation (EPO), or Power SCADA Operation (PSO) deployments. This affects versions 2022 through 2024 R2. Facilities using Managed Service deployments of PME face additional risk due to potential Internet exposure.
How it could be exploited
An attacker with valid login credentials sends a specially crafted request exploiting deserialization, server-side request forgery, or path traversal to the PME application. The application processes the malicious input without proper validation, allowing the attacker to execute arbitrary code on the PME server.
Prerequisites
  • Valid user credentials for EcoStruxure Power Monitoring Expert
  • Network access to the PME application server (typically internal network but may be Internet-facing if in Managed Service deployment)
  • One of the affected product versions (PME 2022, 2023, 2023_R2, 2024, or 2024_R2)
Remotely exploitableAuthentication required (reduces immediate risk but authenticated users may include contractors or third-party integrators)Medium EPSS score (1.4%)Affects power monitoring and control systemsMultiple vulnerability types (deserialization, SSRF, path traversal)Potential for remote code execution
Exploitability
Some exploitation risk — EPSS score 1.9%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
EcoStruxure Power Monitoring Expert (PME)20242024 R2202220232023 R2Hotfix_279338_Release_2024R2
EcoStruxure™ Power Monitoring Expert (PME)20242024 R2202220232023 R2Hotfix_279338_Release_2024R2
Remediation & Mitigation
0/5
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade EcoStruxure Power Monitoring Expert 2024 to version 2024 R2, then apply Hotfix_279338_Release_2024R2
HOTFIXUpgrade EcoStruxure Power Monitoring Expert 2023 R2 and apply Hotfix_199767_release and Hotfix_273686_release.12.0
HOTFIXFor older versions (2022, 2023), contact Schneider Electric Customer Care Center to determine available patches and upgrade path
Long-term hardening
0/2
EcoStruxure Power Monitoring Expert (PME)
HARDENINGRestrict network access to the PME application server to authorized users and systems only; if deployed as Managed Service, verify network isolation and access controls with your service provider
HARDENINGImplement network segmentation to isolate the PME application from untrusted networks; do not expose PME directly to the Internet
View full CISA ICS-CERT advisory
API: /api/v1/advisories/5af99202-19fb-40a2-b95f-1609a8aa5238

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.