EcoStruxure™ Process Expert, EcoStruxure™ Process Expert for AVEVA System Platform

Plan Patch7.8SEVD-2025-042-03Feb 11, 2025

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

EcoStruxure™ Process Expert and EcoStruxure™ Process Expert for AVEVA System Platform contain an improper privilege management vulnerability (CWE-269) that allows a local user with standard privileges to escalate to higher privileges on the engineering workstation. This could enable unauthorized modification of control system designs, process logic, or supervisory configurations before deployment to production Modicon controllers and SCADA systems.\n\nAffected versions include EcoStruxure™ Process Expert 2023 (versions below 4.8.0.5715), 2021, and 2020 R2, as well as EcoStruxure™ Process Expert for AVEVA System Platform 2023, 2021, and 2020 R2. Only the 2023 version has a patch available; earlier versions have no fix planned.

What this means

What could happen

A logged-in user with standard privileges on an engineering workstation could escalate to higher privileges and modify the EcoStruxure™ Process Expert software, potentially altering process controls, logic, or supervisory configurations for Modicon controllers and SCADA systems.

Who's at risk

Power and energy utilities operating Modicon controllers and SCADA systems using EcoStruxure™ Process Expert for engineering and commissioning. Affects engineering teams who design, maintain, and commission control system logic and supervisory configurations. Risk is highest in organizations where engineering workstations are shared or accessible to multiple staff.

How it could be exploited

An attacker with a user account on the engineering workstation running vulnerable EcoStruxure™ Process Expert software could exploit improper privilege management to execute commands with elevated privileges. This allows them to modify process designs, controller logic, or SCADA configurations before they are deployed to production control systems.

Prerequisites

Local access to engineering workstation running vulnerable EcoStruxure™ Process Expert
Valid user credentials with standard (non-administrative) privileges
Vulnerable version of the software installed (2020 R2, 2021, 2023 below v4.8.0.5715, or AVEVA System Platform variants)

Improper privilege management (CWE-269)Local exploitation requiredRequires valid user credentialsMultiple product versions with no fix plannedCould allow modification of safety-critical process logic

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (6)

1 with fix5 pending

ProductAffected VersionsFix Status

EcoStruxure™ Process Expert for AVEVA System2020 R2No fix yet

EcoStruxure™ Process Expert for AVEVA System2021No fix yet

EcoStruxure™ Process Expert for AVEVA System2023No fix yet

EcoStruxure™ Process Expert2020 R2No fix yet

EcoStruxure™ Process Expert2021No fix yet

EcoStruxure™ Process Expert 2023<4.8.0.57154.8.0.5715

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

EcoStruxure™ Process Expert

HOTFIXUpgrade EcoStruxure™ Process Expert 2023 to version 4.8.0.5715 or later

All products

HOTFIXUninstall previous version 2023 (v4.8.0.5115) before installing the patched version

Long-term hardening

0/2

HARDENINGFor 2020 R2 and 2021 versions with no fix planned, restrict local access to engineering workstations to authorized personnel only

HARDENINGImplement access controls and audit logging on engineering workstations to detect unauthorized privilege escalation attempts

CVEs (1)

CVE-2025-0327

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/70544ce1-95fc-44e4-a134-ad97d3aa21f3