Schneider Electric EcoStruxure Foxboro DCS Advisor

Act Now9.8ICS-CERT ICSA-25-352-02Dec 9, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Microsoft Windows Server WSUS (Windows Server Update Services) affects the optional EcoStruxure™ Foxboro DCS Advisor component, which provides remote connectivity and diagnostics for the Foxboro distributed control system (DCS). The vulnerability allows remote code execution with system-level privileges without authentication. EcoStruxure Foxboro DCS Advisor continuously monitors key performance indicators on I/A Series or Control Software systems in process facilities. Successful exploitation could allow unauthorized parties to execute arbitrary code with full system privileges on the advisory server.

What this means

What could happen

An attacker could remotely execute code with system-level privileges on your DCS Advisor server without authentication, potentially compromising process monitoring, remote diagnostics, and control of your Foxboro DCS systems.

Who's at risk

Water and electric utilities, refineries, and other process manufacturers using Schneider Electric EcoStruxure Foxboro DCS systems with the optional DCS Advisor component for remote monitoring and diagnostics. This affects the Windows Server operating system running the DCS Advisor service, which is the remote connectivity and monitoring interface for your distributed control system.

How it could be exploited

The attacker exploits a flaw in WSUS running on the EcoStruxure Foxboro DCS Advisor server. Since the server is exposed to the network for remote connectivity, the attacker sends a malicious request over the network to the WSUS service, gaining remote code execution with system privileges without needing credentials.

Prerequisites

Network reachability to port 8530 or 8531 (default WSUS ports) on the EcoStruxure Foxboro DCS Advisor server
EcoStruxure Foxboro DCS Advisor component installed and WSUS enabled
No authentication required

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (68.4%)affects safety systemssystem-level code execution

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Microsoft Windows Server 2016 <10.0.14393.8524All versionsEcoStruxure™ Foxboro DCS Advisor services

Microsoft Windows Server 2022 <10.0.20348.4297All versionsEcoStruxure™ Foxboro DCS Advisor services

Remediation & Mitigation

0/5

Do now

0/4

HOTFIXApply Microsoft patch KB5070882 to Windows Server 2016 instances running EcoStruxure Foxboro DCS Advisor

HOTFIXApply Microsoft patch KB5070884 to Windows Server 2022 instances running EcoStruxure Foxboro DCS Advisor

HOTFIXPlan for server reboot after patch application to complete the update

WORKAROUNDImplement network firewall rules to restrict access to WSUS ports (8530, 8531) to only authorized management workstations and eliminate any unnecessary internet exposure of the DCS Advisor server

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXVerify patch installation completion with Schneider Electric Global Customer Support

CVEs (1)

CVE-2025-59287

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8415e00c-1a03-4ebe-a15d-ba7949a9d008