EcoStruxure™ Power Monitoring Expert (PME) and EcoStruxure™ Power Operation (EPO) with Advanced Reporting and Dashboards
Monitor4.3SEVD-2025-189-04Jul 8, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in EcoStruxure™ Power Monitoring Expert (PME) and EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module allows authenticated users to view data they should not have access to. The vulnerability affects PME versions 2023, 2023 R2, 2024, and 2024 R2, and EPO 2022 and 2024. Exploitation requires valid authentication to the system.
What this means
What could happen
An attacker with valid credentials could view sensitive operational data (monitoring and reporting information) in power management systems that should be restricted to their access level, potentially exposing facility operations details to unauthorized personnel.
Who's at risk
This affects energy facilities and utilities using Schneider Electric's power management software. Specifically, organizations running EcoStruxure™ Power Monitoring Expert (PME) for facility monitoring or EcoStruxure™ Power Operation (EPO) for SCADA control and monitoring of medium and low-voltage power systems should assess their exposure.
How it could be exploited
An authenticated user or attacker with compromised credentials logs into EcoStruxure™ Power Monitoring Expert or Power Operation, then navigates to advanced reporting and dashboard features to access data beyond their authorization level through insufficient access controls.
Prerequisites
- Valid authentication credentials for EcoStruxure™ PME or EPO system
- Network access to the on-premises PME or EPO software
- User account must be authenticated to the system
authentication requiredlow CVSS score (4.3)confidentiality impact onlyinformation disclosure risk
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (3)
2 with fix1 pending
ProductAffected VersionsFix Status
EcoStruxure™ Power Monitoring Expert (PME)2023; 2023 R2; 2024; 2024 R22023 Hotfix_199767
EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module2022Hotfix_199767
EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module2024No fix yet
Remediation & Mitigation
0/4
Do now
0/2EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module
WORKAROUNDFor EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module version 2024: contact Schneider Electric Customer Care Center to discuss mitigation options or upgrade path, as no fix is currently available
EcoStruxure™ Power Monitoring Expert (PME)
HARDENINGReview and restrict access controls for authenticated users in PME and EPO to limit data visibility by role until patched
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
EcoStruxure™ Power Monitoring Expert (PME)
HOTFIXApply Hotfix_199767 to EcoStruxure™ Power Monitoring Expert (PME) versions 2023, 2023 R2, 2024, and 2024 R2
EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module
HOTFIXApply Hotfix_199767 to EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards Module version 2022
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/91332ab7-9dc3-4e70-bd3d-9d224e7971ec