Schneider Electric EcoStruxure PME and EPO
Plan PatchCVSS 7.8ICS-CERT ICSA-26-078-04Mar 10, 2026
Schneider ElectricEnergyHealthcareManufacturingTransportationWater
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Schneider Electric EcoStruxure Power Monitoring Expert (PME) and EcoStruxure Power Operation (EPO) contain a deserialization vulnerability (CWE-502) that allows local arbitrary code execution. PME is used to monitor and optimize power systems in critical facilities; EPO is a platform for monitoring and controlling medium and lower power systems. An attacker with local access could execute arbitrary code with system privileges, compromising the server and disrupting power monitoring and control operations.
What this means
What could happen
An attacker with local access to the PME or EPO server could run arbitrary commands with system privileges, potentially disrupting power monitoring/control operations, altering system configuration, or gaining unauthorized administrative control of the facility's energy management systems.
Who's at risk
Energy utilities, water authorities, and industrial facilities that rely on Schneider Electric's PME or EPO for power monitoring and control. This affects system administrators and operators responsible for facility energy management, power optimization, and real-time power system supervision across critical infrastructure sectors including energy, water, manufacturing, transportation, and healthcare.
How it could be exploited
An attacker must have local access (or remote access via compromised credentials) to the PME/EPO server. The attacker can exploit the deserialization flaw to execute code with the privileges of the PME/EPO process, likely running as a service account with administrative rights.
Prerequisites
- Local access to the PME or EPO server, or valid domain/local Windows credentials for remote access
- Access to a network path or input mechanism that feeds malicious serialized objects to the PME/EPO application
Low attack complexityRequires local or authenticated access (not remotely exploitable without credentials)Affects critical energy management infrastructureNo patch available for EPO 2024 or PME/EPO 2022 (end-of-life products)Could lead to loss of power monitoring visibility and control capability
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (6)
2 with fix1 pending3 EOL
ProductAffected VersionsFix Status
EcoStruxure™ Power Monitoring Expert (PME)≤ 202220232023 R220242024 R22023 R2 Hotfix_282807
EcoStruxure™ Power Operation (EPO) 2024 with Advanced Reporting and Dashboards Module2024No fix yet
EcoStruxure™ Power Operation (EPO) 2022 Advanced Reporting and Dashboards Module≤ 2022No fix (EOL)
EcoStruxure Power Monitoring Expert (PME)≤ 202220232023 R220242024 R22023_R2_Hotfix_282807
EcoStruxure Power Operation (EPO) 2022 Advanced Reporting and Dashboards Module≤ 2022No fix (EOL)
EcoStruxure Power Operation (EPO) 2024 with Advanced Reporting and Dashboards Module2024No fix (EOL)
Remediation & Mitigation
0/8
Do now
0/4EcoStruxure™ Power Monitoring Expert (PME)
HARDENINGEnsure PME/EPO server is isolated on a dedicated network segment with no direct internet access and restricted lateral connectivity from general IT networks.
HARDENINGConfigure Windows Firewall on the PME/EPO server to restrict inbound access to only required management ports from authorized engineer workstations and monitoring clients.
HARDENINGConduct audit of all Windows-authenticated users with access to PME/EPO; revoke access for non-essential accounts and apply principle of least privilege. Enforce complex password policies.
All products
HARDENINGReview and restrict Server Access Permissions; identify and limit accounts with elevated privileges or remote access to only critical operational staff.
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
EcoStruxure™ Power Monitoring Expert (PME)
HOTFIXFor PME 2024 R2: Apply Hotfix_279338_Release_2024R2 from Schneider Electric Customer Care Center. No reboot required.
HOTFIXFor PME 2023 R2: Apply Hotfix_282807 from Schneider Electric Customer Care Center. No reboot required.
HOTFIXFor PME 2024: Upgrade to PME 2024 R3 via Schneider Electric.
HOTFIXFor PME 2023 or earlier, and EPO 2024/2022: Upgrade to PME 2024 R3 (EPO 2022 and PME 2022 are end-of-life and have no fixes).
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f11ff294-2b4e-4f12-b7fe-e1323a948793Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.