EPAS-UI & EcoSUI
Monitor6.8SEVD-2025-070-02Mar 11, 2025
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability exists in EcoStruxure™ Power Automation System User Interface (EPAS-UI) versions 2.1 through 2.9 that allows authentication bypass. The EPAS-UI is an HMI/SCADA system designed for electrical networks and substations operations. Exploitation could allow an attacker to gain partial to full control of the automation system without valid credentials. Version 2.10 contains the fix and is available from Schneider Electric's Customer Care Center.
What this means
What could happen
An attacker could bypass authentication and gain partial to full control of the power automation system interface, allowing them to view or modify electrical network operations and substation controls.
Who's at risk
Energy utilities and manufacturing facilities operating electrical substations and power distribution networks using Schneider Electric's EcoStruxure™ EPAS-UI for monitoring and control of electrical infrastructure.
How it could be exploited
An attacker with physical access to the EPAS-UI system (or network access if the interface is exposed) can exploit the authentication bypass vulnerability to access the HMI/SCADA interface without valid credentials. This grants them the ability to view real-time power system data and potentially issue commands to connected electrical equipment.
Prerequisites
- Physical or network access to the EPAS-UI system
- No credentials required due to authentication bypass
authentication bypassHMI/SCADA impactaffects electrical operationsphysical/network access required
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
EcoStruxure™ Power Automation System User Interface (EPAS-UI) Secured≥ 2.1 | ≤ 2.92.10
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate EcoStruxure™ Power Automation System User Interface (EPAS-UI) to version 2.10 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/577c80c1-6761-4720-8161-4168c604e444