Schneider Electric EcoStruxure Foxboro DCS Advisor

Act NowCVSS 9.8ICS-CERT ICSA-25-352-02Dec 9, 2025

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability exists in the Windows Server Update Services (WSUS) component used by EcoStruxure Foxboro DCS Advisor. The Foxboro DCS is a distributed control system used for remote monitoring and diagnostics of critical industrial processes. An unauthenticated attacker with network access can exploit a deserialization flaw to achieve remote code execution with system-level privileges. This vulnerability is actively being exploited in the wild.

What this means

What could happen

An unauthenticated attacker on the network could execute arbitrary code with system-level privileges on the EcoStruxure Foxboro DCS Advisor, potentially gaining full control over the distributed control system and all connected process equipment. This could enable modification of setpoints, shutdown of operations, or data exfiltration from critical process systems.

Who's at risk

Energy and manufacturing operators using Schneider Electric EcoStruxure Foxboro DCS Advisor are affected. This includes distributed control systems (DCS) for refineries, chemical plants, power generation, and other process industries that rely on the Foxboro DCS for monitoring and control of critical processes. Any organization with Windows Server 2016 or 2022 running the advisory component is at risk.

How it could be exploited

An attacker with network access to the EcoStruxure Foxboro DCS Advisor can send a crafted request that exploits the Windows Server Update Services (WSUS) deserialization vulnerability. No authentication or user interaction is required. Successful exploitation results in remote code execution with SYSTEM privileges, allowing the attacker to run arbitrary commands on the DCS advisory server.

Prerequisites

Network access to the EcoStruxure Foxboro DCS Advisor server
The WSUS service must be running and accessible
No credentials or user interaction required

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (75.8%)affects safety systemssystem-level code execution

Exploitability

Actively exploited — confirmed by CISA KEV

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (9 repositories)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Microsoft Windows Server 2016 <10.0.14393.8524All versionsEcoStruxure™ Foxboro DCS Advisor services

Microsoft Windows Server 2022 <10.0.20348.4297All versionsEcoStruxure™ Foxboro DCS Advisor services

Remediation & Mitigation

0/5

Do now

0/5

HOTFIXApply Microsoft patch KB5070882 to Windows Server 2016 systems running EcoStruxure Foxboro DCS Advisor via Windows Server Update Services (WSUS)

HOTFIXApply Microsoft patch KB5070884 to Windows Server 2022 systems running EcoStruxure Foxboro DCS Advisor via Windows Server Update Services (WSUS)

HOTFIXPlan and execute server reboots within a maintenance window after patches are applied

HARDENINGRestrict network access to the EcoStruxure Foxboro DCS Advisor server to only authorized engineering workstations and monitoring stations using firewall rules or network segmentation

HOTFIXVerify patch application has been completed by contacting Schneider Electric Global Customer Support and confirming patch status

CVEs (1)

CVE-2025-59287

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8415e00c-1a03-4ebe-a15d-ba7949a9d008

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.