OTPulse
FeedAboutContact

WebHMI Component For EcoStruxure™ Power Automation System User Interface and EcoStruxure™ Microgrid Operation Large

Act Now9.8SEVD-2025-070-03Mar 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability exists in the WebHMI component used in EcoStruxure™ Power Automation System User Interface (EPAS UI, formerly EcoSUI) and EcoStruxure™ Microgrid Operation Large (EMO-L). EcoSUI is a local SCADA/HMI platform based on IEC 61850 used to supervise, monitor, and control large electrical networks. EMO-L is a power management system for critical Microgrid applications. The vulnerability could allow unauthorized access to the underlying software application running WebHMI.

What this means
What could happen
An attacker could gain unauthorized access to the SCADA/HMI system and the underlying application, potentially allowing them to view or alter electrical network operations, control distributed energy resources, or disrupt microgrid management and monitoring.
Who's at risk
Electric utilities and large-scale electrical network operators using EcoStruxure™ Power Automation System User Interface (EPAS UI/EcoSUI) or EcoStruxure™ Microgrid Operation Large (EMO-L) for SCADA/HMI monitoring and control. Critical infrastructure operators managing substations, distribution networks, and microgrids with embedded power management systems.
How it could be exploited
The attacker needs network access to the WebHMI component. Once reached, the attacker could exploit the vulnerability to bypass authentication or authorization controls and gain unauthorized access to the application running on WebHMI, without requiring valid credentials or user interaction.
Prerequisites
  • Network access to the WebHMI component (likely HTTP/HTTPS ports)
  • Affected version of EPAS UI or EMO-L must be deployed and accessible
remotely exploitableno authentication requiredlow complexityaffects safety systemscritical severity (CVSS 9.8)actively deployed in critical infrastructure
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (2)
2 pending
ProductAffected VersionsFix Status
EPAS User Interface≤ 4.1.0.0No fix yet
EcoStruxure™ Microgrid Operation Large (EMO-L)≤ 4.1.0.0No fix yet
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGIsolate WebHMI components from untrusted networks using firewall rules; restrict network access to authorized engineering workstations and control center networks only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply hotfix WebHMI_Fix_users_for_Standard.V1 from Schneider Electric Customer Care Center
Long-term hardening
0/1
HARDENINGImplement network segmentation to separate SCADA/HMI systems from external networks and limit lateral movement
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/aa31303e-a771-4f4e-b262-3e058c690425
WebHMI Component For EcoStruxure™ Power Automation System User Interface and EcoStruxure™ Microgrid Operation Large | CVSS 9.8 - OTPulse