Data Center Expert

Plan Patch8SEVD-2022-165-04Jun 14, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Schneider Electric's Data Center Expert product (versions 7.9.0 and earlier) contains multiple vulnerabilities related to credential storage, deserialization, and access control. These flaws could allow an authenticated user to gain unauthorized access to the DCE instance, potentially disrupting the monitoring and management of data center physical infrastructure including power, cooling, security, and environmental systems.

What this means

What could happen

An attacker with user-level access could gain unauthorized control of the Data Center Expert monitoring platform, potentially causing data center power, cooling, or security system outages by disrupting monitoring and management functions.

Who's at risk

Data center operators and facility managers responsible for monitoring and managing multi-vendor physical infrastructure (power distribution, cooling systems, security access control, and environmental sensors) who use Schneider Electric's Data Center Expert platform.

How it could be exploited

An attacker with valid user credentials can exploit credential storage and deserialization flaws to escalate privileges or execute arbitrary code within the Data Center Expert application, allowing them to modify infrastructure settings or disable monitoring.

Prerequisites

Valid user credentials for Data Center Expert
Network access to the DCE application interface
User interaction may be required to trigger certain exploit vectors

remotely exploitablelow complexityrequires valid user credentialsaffects critical infrastructure monitoring

Exploitability

Moderate exploit probability (EPSS 1.5%)

Affected products (1)

ProductAffected VersionsFix Status

Data Center Expert≤ 7.9.07.9.1

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Data Center Expert to version 7.9.1 or later

CVEs (4)

CVE-2022-32518 CVE-2022-32519 CVE-2022-32520 CVE-2022-32521

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/63155bec-49b5-40a4-a933-be210a1d097f