EcoStruxure™ Power Monitoring Expert (PME)
Plan Patch7.1SEVD-2024-282-05Oct 8, 2024
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary
EcoStruxure™ Power Monitoring Expert (PME) is vulnerable to unsafe deserialization of untrusted data, which could allow an attacker to achieve remote code execution on the monitoring software platform. The vulnerability affects PME 2022 and earlier versions (through 2021).
What this means
What could happen
An attacker with valid user credentials could trigger remote code execution on the PME server, potentially gaining control of the power monitoring and management platform and disrupting visibility and control of critical facility power systems.
Who's at risk
This affects energy sector facilities using EcoStruxure™ Power Monitoring Expert (PME) 2022 and earlier versions for power monitoring, including critical infrastructure operations, data centers, manufacturing facilities, and utilities that rely on PME for power distribution management and efficiency optimization.
How it could be exploited
An attacker with valid PME user credentials submits a specially crafted serialized object through the PME application interface. The application deserializes this untrusted data without proper validation, allowing the attacker to execute arbitrary code with the PME service account privileges on the monitoring server.
Prerequisites
- Valid user credentials for EcoStruxure™ Power Monitoring Expert (PME) application
- Network access to the PME server application port
- User interaction required: the legitimate user must be present or the attacker must trigger an action that processes the malicious object
Remotely exploitableRequires valid user credentialsRequires user interaction or actionAffects critical power monitoring infrastructureHigh impact (code execution on monitoring platform)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
EcoStruxure™ Power Monitoring Expert (PME)2022Hotfix_75031_PME2022
EcoStruxure Power Monitoring Expert (PME)≤ 2021Hotfix_75031_PME2022
Remediation & Mitigation
0/2
Do now
0/1EcoStruxure™ Power Monitoring Expert (PME)
HARDENINGRestrict network access to the PME server to only authorized users and workstations using firewall rules; limit which users have PME application access credentials
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
EcoStruxure™ Power Monitoring Expert (PME)
HOTFIXApply Hotfix_75031_PME2022 from Schneider Electric Customer Care Center to EcoStruxure™ Power Monitoring Expert (PME) 2022 and all earlier versions
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4a559e45-1016-4206-b572-806862226adf