Trio™ Q Licensed Data Radios

Monitor6.8SEVD-2025-098-02Apr 8, 2025

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Trio Q Licensed Data Radio versions prior to 2.7.2 contain a vulnerability that could allow an attacker with physical access to the device to read or modify firmware, configuration, and potentially sensitive data without authentication. The Trio Q radios are used for point-to-point and multipoint SCADA telemetry in critical infrastructure applications. Successful exploitation could result in unauthorized access to SCADA systems, disclosure of communications data, or injection of malicious firmware that could disrupt or compromise remote operations.

What this means

What could happen

An attacker with physical access to the radio could extract or modify firmware or configuration data, potentially gaining unauthorized access to SCADA systems or disrupting remote telemetry communications that control critical infrastructure.

Who's at risk

Energy utilities and critical infrastructure operators who use Schneider Electric Trio Q Licensed Data Radios for point-to-point or multipoint SCADA telemetry, remote control, and data communications. This includes water authorities, electric utilities, and oil/gas operations that rely on these radios for remote monitoring and control of field devices.

How it could be exploited

An attacker with physical access to the Trio Q radio could exploit the vulnerability to read or write the device's firmware and configuration memory without proper authentication, allowing them to extract credentials, modify radio settings, or inject malicious firmware.

Prerequisites

Physical access to the Trio Q Licensed Data Radio device
No special tools beyond standard diagnostic equipment required

physical access requiredaffects SCADA telemetry systemsloss of confidentiality and integrity risk

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Trio™ Q Licensed Data Radio<2.7.22.7.2

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Trio Q Licensed Data Radio firmware to version 2.7.2 or later

CVEs (3)

CVE-2025-2440 CVE-2025-2441 CVE-2025-2442

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8262e144-2630-4bae-81e7-8d191396c10d