EcoStruxure™ Power Monitoring Expert Software & EcoStruxure™ Power Operation (EPO) and EcoStruxure™ Power SCADA Operation (PSO)
Plan Patch8.8SEVD-2025-224-02Aug 12, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities (deserialization of untrusted data, server-side request forgery, and path traversal) in EcoStruxure™ Power Monitoring Expert (PME), EcoStruxure™ Power Operation (EPO), and EcoStruxure™ Power SCADA Operation (PSO) could allow authenticated attackers to execute remote code, access unauthorized data, or disrupt power monitoring and control. Affected PME versions: 2024, 2024 R2, 2023, 2023 R2, and 2022. Specific affected versions of EPO and PSO are not detailed in the advisory.
What this means
What could happen
An attacker with login credentials could execute arbitrary code on your power monitoring or SCADA software, allowing them to alter operational data, manipulate control commands, or disrupt monitoring of critical power systems. This could lead to incorrect operator decisions or loss of situational awareness during power emergencies.
Who's at risk
Electric utilities, municipal power systems, and energy-intensive industrial facilities using EcoStruxure™ Power Monitoring Expert for power monitoring and control, or using EcoStruxure™ Power Operation (EPO) and EcoStruxure™ Power SCADA Operation (PSO) for medium and lower power system control should prioritize this update. Managed service customers hosting PME are also affected.
How it could be exploited
An authenticated attacker sends a specially crafted request to the PME, EPO, or PSO web interface containing malicious serialized data or a request to fetch a remote file. The software deserializes the untrusted data or follows the request, executing arbitrary code or traversing the filesystem to access sensitive configuration files. No user interaction is required.
Prerequisites
- Valid login credentials for the EcoStruxure™ Power Monitoring Expert, EPO, or PSO software
- Network access to the web interface port (typically port 80/443)
- Vulnerable version deployed (2024, 2024 R2, 2023, 2023 R2 for PME; versions of EPO/PSO not fully specified in advisory)
Remotely exploitableRequires valid credentialsAllows code executionAffects power monitoring and SCADA systemsMultiple attack vectors (deserialization, SSRF, path traversal)No patch available for older versions (2022, pre-2023 R2 releases)
Exploitability
Moderate exploit probability (EPSS 1.1%)
Affected products (1)
ProductAffected VersionsFix Status
EcoStruxure™ Power Monitoring Expert (PME)2024; 2024 R2; 2022; 2023; 2023 R2Hotfix_279338_Release_2024R2
Remediation & Mitigation
0/6
Do now
0/1HARDENINGRestrict network access to the EcoStruxure™ software web interface to authorized engineering workstations and IT systems only
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXApply Hotfix_279338_Release_2024R2 if running EcoStruxure™ Power Monitoring Expert 2024 R2
HOTFIXUpgrade EcoStruxure™ Power Monitoring Expert 2024 to 2024 R2, then apply Hotfix_279338_Release_2024R2
HOTFIXUpgrade EcoStruxure™ Power Monitoring Expert 2023 R2 and apply Hotfix_199767_release and Hotfix_273686_release.12.0
HOTFIXContact Schneider Electric Customer Care Center to determine patching path for your specific PME, EPO, or PSO version and to obtain required hotfixes
Long-term hardening
0/1HARDENINGImplement multi-factor authentication for login to PME, EPO, and PSO if supported by your version
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7d99cb8d-858a-4692-9cd7-86342e6d0da4