EcoStruxure™ Power Operation

Act Now8.8SEVD-2025-189-03Jul 8, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

EcoStruxure™ Power Operation (EPO) includes PostgreSQL, a database server used to store EPO data. Schneider Electric has identified multiple vulnerabilities disclosed in PostgreSQL that affect EPO deployments. The vulnerabilities can be exploited via the PostgreSQL pgadmin tool or through direct PostgreSQL network access. EPO is an on-premises software platform used to monitor and control medium and lower voltage power systems.

What this means

What could happen

An attacker could gain unauthorized access to the EPO database or execute commands on the system, potentially allowing them to modify power system monitoring data, alter control settings, or disrupt the ability to monitor and control electrical equipment across your facility.

Who's at risk

This affects any organization running EcoStruxure™ Power Operation for electrical power system monitoring and control, particularly in utility operations, large industrial facilities, and data centers. Impact is higher for sites that rely on EPO for real-time monitoring and control of medium and low voltage electrical distribution equipment.

How it could be exploited

An attacker with network access to the PostgreSQL port (default 5432) on an EPO server could exploit PostgreSQL vulnerabilities to gain database access or execute arbitrary code. If pgadmin is installed and exposed, it could be exploited directly. The vulnerability requires user interaction only if triggered through the web interface; direct database attacks do not require authentication.

Prerequisites

Network access to PostgreSQL port (default 5432) on EPO server, or
Network access to pgadmin web interface if installed
EPO version 2022 CU6 or earlier, or 2024 CU1 or earlier
Waveform analysis or ETAP simulation features enabled (uses PostgreSQL)

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)EPSS score 94.5%affects critical infrastructure (power systems)

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

EcoStruxure™ Power Operation (EPO) 2022 CU6 and prior≤ 2022 CU62024 CU2

EcoStruxure™ Power Operation (EPO) 2024 CU1 and prior≤ 2024 CU12024 CU2

Remediation & Mitigation

0/5

Do now

0/5

EcoStruxure™ Power Operation (EPO) 2022 CU6 and prior

WORKAROUNDUninstall pgadmin tool from EPO server and client machines if installed

WORKAROUNDIf waveform analysis and ETAP simulation features are not used, uninstall PostgreSQL entirely from EPO deployment

All products

HOTFIXUpdate EcoStruxure™ Power Operation to 2024 CU2 or install 2022 CU7

HARDENINGIf waveform analysis or ETAP simulation features are used, configure PostgreSQL to accept connections only from localhost (contact Schneider support for configuration assistance)

HOTFIXManually upgrade PostgreSQL from 14.10 to 14.17 or higher on systems that require the database

CVEs (6)

CVE-2023-50447 CVE-2024-28219 CVE-2022-45198 CVE-2023-5217 CVE-2023-35945 CVE-2023-44487

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fbc77477-7a92-4c73-a633-94f6fb26fe18