Schneider Electric Plant iT/Brewmaxx

Act NowCVSS 9.9ICS-CERT ICSA-26-083-03Jan 13, 2026

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

ProLeiT Plant iT/Brewmaxx versions 9.60 and later contain three critical vulnerabilities: a use-after-free condition (CWE-416), an integer overflow (CWE-190), and unsafe code evaluation (CWE-94) in Redis. These flaws are exploitable by authenticated users to achieve privilege escalation and remote code execution on application servers, VisuHub components, and engineering workstations. Successful exploitation allows attackers to modify process parameters, alter equipment behavior, or halt production operations.

What this means

What could happen

An attacker with valid engineering credentials could escalate privileges and execute arbitrary code on ProLeiT Plant iT/Brewmaxx servers and workstations, potentially taking control of brewing or process equipment and disrupting production.

Who's at risk

Breweries and manufacturing facilities using Schneider Electric ProLeiT Plant iT/Brewmaxx software for process monitoring and control. This includes energy utilities and manufacturers that rely on this SCADA software to manage batch processing, setpoints, and equipment automation.

How it could be exploited

An attacker with engineering workstation credentials gains network access to the ProLeiT application server or VisuHub component. They exploit a use-after-free vulnerability (CWE-416) combined with integer overflow (CWE-190) to achieve privilege escalation. Once elevated, they use unsafe eval commands in Redis to execute arbitrary code on the affected system, allowing them to modify process parameters or shut down operations.

Prerequisites

Network access to the ProLeiT application server or VisuHub component on port(s) used by ProLeiT
Valid engineering workstation credentials or valid credentials for any authenticated user
ProLeiT Plant iT/Brewmaxx version 9.60 or later (unpatched)
Eval commands enabled in Redis (default or custom configuration)

remotely exploitablerequires valid credentials (low privilege bar for engineering access)low complexity attackhigh EPSS score (13.2%)affects process control systemsprivilege escalation to code execution

Exploitability

Likely to be exploited — EPSS score 13.2%

Public Proof-of-Concept (PoC) on GitHub (7 repositories)

Affected products (1)

ProductAffected VersionsFix Status

ProLeiT Plant iT/Brewmaxx≥ 9.60ProLeiT-2025-001

Remediation & Mitigation

0/7

Do now

0/5

HOTFIXInstall Patch ProLeiT-2025-001 immediately via ProLeiT Support

HARDENINGAfter patching, disable eval commands in Redis on the application server, VisuHub, engineering workstations, and workstations with emergency mode functionality

HARDENINGForce usage of secure Redis configuration templates in system settings as documented in the ProLeiT-2025-001 patch manual

HOTFIXRestart all patched servers and workstations to apply configuration changes

WORKAROUNDRestrict network access to ProLeiT servers and VisuHub components to engineering workstations only; block access from untrusted networks using firewall rules

Long-term hardening

0/2

HARDENINGIsolate the ProLeiT control network from the business network using a firewall or network segmentation

HARDENINGIf remote access is required, route it through a VPN or jump server and keep VPN software updated

CVEs (4)

CVE-2025-49844 CVE-2025-46817 CVE-2025-46818 CVE-2025-46819

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/23d2506d-ab7f-45d7-a109-2a82465fec15

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.