StruxureWare Data Center Expert
Plan Patch8.8SEVD-2023-192-01Jul 11, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
StruxureWare Data Center Expert (renamed to EcoStruxure IT Data Center Expert) versions 7.9.3 and earlier contain multiple vulnerabilities including SQL injection (CWE-89) and code injection (CWE-94). These flaws allow authenticated users to achieve remote code execution and privilege escalation on the monitoring platform, potentially resulting in loss of control and availability of the appliance.
What this means
What could happen
An attacker with valid credentials could remotely execute code on the data center monitoring platform, potentially causing loss of visibility into critical equipment or disrupting the ability to manage data center resources and operations.
Who's at risk
Data center operators and facility managers using Schneider Electric's StruxureWare Data Center Expert or EcoStruxure IT Data Center Expert for monitoring power distribution units (PDUs), cooling systems, environmental sensors, and other critical infrastructure. This affects anyone relying on this centralized monitoring platform to manage data center operations.
How it could be exploited
An attacker with valid user credentials exploits SQL injection (CWE-89) or code injection (CWE-94) vulnerabilities to bypass normal application logic, execute arbitrary code on the monitoring server, and gain remote access or elevated privileges. From there, they could modify monitoring data, disable alerts, or control connected infrastructure equipment.
Prerequisites
- Valid user credentials for StruxureWare Data Center Expert / EcoStruxure IT Data Center Expert
- Network access to the monitoring server (typically on internal data center network)
- StruxureWare Data Center Expert version 7.9.3 or earlier running in the environment
remotely exploitablerequires valid credentials (medium barrier)no active exploitation reportedhigh severity (CVSS 8.8)
Exploitability
Moderate exploit probability (EPSS 1.7%)
Affected products (1)
ProductAffected VersionsFix Status
StruxureWare Data Center Expert≤ V7.9.3V8.0
Remediation & Mitigation
0/3
Do now
0/1HARDENINGRestrict administrative access to StruxureWare Data Center Expert to authorized personnel only; enforce strong password policies for all user accounts
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate StruxureWare Data Center Expert to version 8.0 or later (available from Schneider Electric Customer Care Center)
Long-term hardening
0/1HARDENINGIsolate the monitoring server on a restricted network segment with firewall rules limiting access to authorized management stations only
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7953ba6c-d0cf-42c0-be61-2483021c7a98