Skip to main content
CybersecurityInfrastructure

Schneider Electric’s EcoStruxure: Revolutionizing Power Automation Systems

Schneider Electric’s EcoStruxure: Revolutionizing Power Automation Systems

Schneider Electric’s EcoStruxure: Revolutionizing Power Automation Systems

1. EXECUTIVE SUMMARY

Schneider Electric’s EcoStruxure Power Automation System is at the forefront of modern power management and automation solutions. However, a recently identified vulnerability in its WebHMI component poses significant security risks. This report delves into the implications of this vulnerability, its potential impact on critical infrastructure, and the necessary mitigations to safeguard against exploitation. Key points include:

  • CVSS v4 9.2: The vulnerability has a high severity score, indicating serious risks.
  • ATTENTION: The vulnerability is remotely exploitable with low attack complexity, making it accessible to a wide range of potential attackers.
  • Vendor: Schneider Electric, a leader in energy management and automation.
  • Equipment: The vulnerability affects the WebHMI component deployed with the EcoStruxure Power Automation System.
  • Vulnerability: Initialization of a Resource with an Insecure Default, which could allow unauthorized access.

2. RISK EVALUATION

The vulnerability in question could allow unauthorized access to the underlying software application running WebHMI. This access could lead to unauthorized command execution, potentially compromising the integrity and availability of critical infrastructure systems. Given that EcoStruxure is deployed across various sectors, including energy and critical manufacturing, the implications of such an exploit could be far-reaching, affecting not only operational efficiency but also public safety.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric has identified that the following products are affected due to their use of WebHMI v4.1.0.0 and prior:

  • EcoStruxure Power Automation System: Versions 2.6.30.19 and prior are vulnerable.

3.2 VULNERABILITY OVERVIEW

3.2.1 Initialization of a Resource with an Insecure Default CWE-1188

This vulnerability arises from the initialization of a resource with insecure default settings, which can lead to unauthorized command execution if default credentials are not changed upon first use. Notably, the default username is not displayed correctly in the WebHMI interface, further complicating the issue.

The vulnerability has been assigned the identifier CVE-2025-1960, with a CVSS v3.1 base score of 9.8, indicating critical severity. The CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Additionally, a CVSS v4 score of 9.2 has been calculated for this vulnerability, with the vector string being (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: The affected systems are integral to Commercial Facilities, Critical Manufacturing, and Energy sectors.
  • COUNTRIES/AREAS DEPLOYED: The EcoStruxure system is deployed worldwide, increasing the global risk associated with this vulnerability.
  • COMPANY HEADQUARTERS LOCATION: Schneider Electric is headquartered in France, a country that plays a significant role in global energy management and automation.

3.4 RESEARCHER

The vulnerability was reported by Cumhur Kizilari of Proofpoint, highlighting the importance of collaboration between cybersecurity researchers and vendors in identifying and mitigating risks.

4. MITIGATIONS

To address this vulnerability, Schneider Electric has released a hotfix, WebHMI_Fix_users_for_Standard.V1, which can be obtained from the Schneider Electric Customer Care Center. Users are advised to follow appropriate patching methodologies when applying these updates, including:

  • Backup Systems: Always back up systems before applying patches to prevent data loss.
  • Testing: Evaluate the impact of patches in a test environment before deployment.
  • Hardening Guidelines: After applying the hotfix, ensure that all hardening guidelines provided with the product are implemented.
  • Internet Exposure: The WebHMI should not be exposed to the Internet to minimize risk.

Schneider Electric also recommends the following cybersecurity best practices:

  • Network Isolation: Control and safety system networks should be isolated behind firewalls from business networks.
  • Physical Security: Implement physical controls to prevent unauthorized access to industrial control systems.
  • Locked Cabinets: Place all controllers in locked cabinets and avoid leaving them in “Program” mode.
  • Network Connections: Never connect programming software to any network other than the intended one.
  • Data Scanning: Scan all mobile data exchange methods before use in connected terminals.
  • Mobile Device Restrictions: Sanitize mobile devices that have connected to other networks before allowing them to connect to safety or control networks.
  • Minimize Exposure: Ensure control system devices are not accessible from the Internet.
  • Secure Remote Access: Use secure methods like VPNs for remote access, keeping in mind their potential vulnerabilities.

For further guidance, refer to Schneider Electric’s Recommended Cyber