StruxureWare Data Center Expert

Act Now9.1SEVD-2021-257-03Sep 14, 2021

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

StruxureWare Data Center Expert versions 7.8.1 and prior contain multiple vulnerabilities (CWE-22 path traversal, CWE-78 command injection) that could allow remote code execution. The product manages multi-vendor physical infrastructure including power, cooling, security, and environmental systems across data centers and facilities. Exploitation requires network access and high-privilege credentials but could result in complete compromise of data center management and potential operational outages.

What this means

What could happen

An attacker with administrative-level access to StruxureWare Data Center Expert could execute arbitrary code on the management system, potentially disrupting monitoring and control of critical data center power, cooling, and security infrastructure.

Who's at risk

Data center operators and facility managers using StruxureWare Data Center Expert to monitor and manage power distribution, cooling systems, security access, and environmental controls. This includes energy utilities, data center operators, and large facilities with multi-vendor infrastructure.

How it could be exploited

An attacker with high privilege credentials (admin or engineering account) on the network where StruxureWare Data Center Expert is deployed could exploit a path traversal or command injection flaw to execute arbitrary system commands on the server, gaining control over data center infrastructure management functions.

Prerequisites

Network access to StruxureWare Data Center Expert server
Valid high-privilege credentials (administrator or engineering account)
Access to the management network where the product is deployed

remotely exploitablehigh-privilege credentials requiredno patch availableaffects critical infrastructure controlCVSS 9.1 critical

Exploitability

Moderate exploit probability (EPSS 3.7%)

Affected products (1)

ProductAffected VersionsFix Status

StruxureWare Data Center Expert 7.8.1 and prior.≤ 7.8.1No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGEnsure controllers are not in 'Program' mode and are physically secured

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGRestrict remote access: if required, use secure VPNs only and keep VPN software updated to current versions

HARDENINGMonitor and restrict mobile device connections: scan USB drives and removable media for malware before connecting to the data center network

Mitigations - no patch available

0/2

StruxureWare Data Center Expert 7.8.1 and prior. has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGNetwork segmentation: Isolate StruxureWare Data Center Expert and all control/safety system networks behind firewalls, separate from business networks

HARDENINGImplement physical access controls: lock equipment in cabinets and restrict personnel access to the data center management infrastructure

CVEs (2)

CVE-2021-22794 CVE-2021-22795

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/892b267d-cc58-447d-82ef-dce0e225209c