Deserialization of Untrusted Data vulnerability on Multiple Products
Plan Patch7.8SEVD-2026-069-06Mar 10, 2026
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Deserialization of untrusted data vulnerability in Schneider Electric EcoStruxure™ Power Monitoring Expert (PME) and EcoStruxure™ Power Operation (EPO) products. An attacker with local access can provide malicious serialized data that bypasses validation, leading to arbitrary code execution with the privileges of the running application. PME 2023 R2 through 2024 R2 are affected. EPO 2022 and 2024 versions with the Advanced Reporting and Dashboards Module are also vulnerable. Successful exploitation could compromise the system, disrupt power monitoring and control operations, and grant unauthorized administrative access.
What this means
What could happen
An attacker with local system access could execute arbitrary code on the power monitoring or operation software server, potentially disrupting energy monitoring and control operations or gaining administrative access to the system.
Who's at risk
Energy and utility operators running Schneider Electric's EcoStruxure™ Power Monitoring Expert (PME) software for monitoring power systems at critical facilities, and organizations using EcoStruxure™ Power Operation (EPO) for controlling medium and lower voltage power systems. This affects on-premises installations that aggregate data from distributed electrical equipment across facilities.
How it could be exploited
An attacker with local access to the PME or EPO server sends specially crafted serialized data to the application. The application deserializes this untrusted data without validation, allowing the attacker to instantiate arbitrary objects and execute code with the privileges of the running process.
Prerequisites
- Local access to the PME or EPO server
- Ability to interact with the vulnerable deserialization function (likely via local API or file upload)
- Running instance of PME or EPO software
No authentication required for local exploitationLow complexity attackNo patch available for EPO 2022 and 2024 versionsAffects power monitoring and control systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (3)
1 with fix1 pending1 EOL
ProductAffected VersionsFix Status
EcoStruxure™ Power Monitoring Expert (PME)≤ 2022; 2023; 2023 R2; 2024; 2024 R22023 R2 Hotfix_282807
EcoStruxure™ Power Operation (EPO) 2024 with Advanced Reporting and Dashboards Module2024No fix yet
EcoStruxure™ Power Operation (EPO) 2022 Advanced Reporting and Dashboards Module≤ 2022No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1EcoStruxure™ Power Operation (EPO) 2024 with Advanced Reporting and Dashboards Module
WORKAROUNDFor EcoStruxure™ Power Operation (EPO) 2022 and 2024 versions: implement local access controls and firewall rules to restrict direct access to the EPO server from untrusted networks or users
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
EcoStruxure™ Power Monitoring Expert (PME)
HOTFIXApply Hotfix_279338_Release_2024R2 for EcoStruxure™ Power Monitoring Expert (PME) 2024 R2
HOTFIXApply Hotfix_282807 for EcoStruxure™ Power Monitoring Expert (PME) 2023 R2
HOTFIXUpgrade EcoStruxure™ Power Monitoring Expert (PME) to version 2024 R3 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/aba611de-603b-43ba-8da1-d4c393e3ab12