EcoStruxure™ Power Monitoring Expert

Plan Patch7.5SEVD-2022-011-07Jan 11, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

EcoStruxure Power Monitoring Expert contains multiple vulnerabilities that could lead to loss of data confidentiality, data integrity issues, or loss of access to the server. The product is on-premise software used in power-critical and energy-intensive facilities to monitor and optimize power systems.

What this means

What could happen

An attacker could manipulate monitoring data or block access to the PME server, disrupting visibility into power systems and potentially impacting the facility's ability to monitor energy consumption and equipment status across critical infrastructure.

Who's at risk

Power utilities, energy-intensive facilities, and industrial plants running EcoStruxure Power Monitoring Expert (versions 2020 or earlier, and 9.0) should prioritize this update. This software is critical for power system visibility in data centers, manufacturing plants, hospitals, and other facilities dependent on continuous power monitoring.

How it could be exploited

An unauthenticated attacker on the network can send crafted requests to the PME server to trigger input validation flaws (CWE-20) or inject malicious content via the web interface (CWE-79), resulting in server unavailability or data manipulation.

Prerequisites

Network access to the EcoStruxure Power Monitoring Expert server
PME version 2020 or earlier (through 9.0) deployed
Server accessible from attacker's network segment

remotely exploitableno authentication requiredlow complexityaffects monitoring and visibility systems

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

EcoStruxure Power Monitoring Exper <=2020≤ 20202020 CU3

EcoStruxure Power Monitoring Exper <=9.0≤ 9.02020 CU3

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade EcoStruxure Power Monitoring Expert to version 2020 CU3 or later

HOTFIXAfter PME upgrade, install Floating License Manager 2.7 to address CVE-2019-8963

Long-term hardening

0/1

HOTFIXPlan upgrade to PME 2021 for continued support and access to newer security updates

CVEs (4)

CVE-2022-22726 CVE-2022-22727 CVE-2022-22804 CVE-2019-8963

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/56a766b0-299c-4506-a56c-eb445c52ce8b