Schneider Electric: Vulnerabilities discovered in various products (AL04/250211/CSIRT-ITA)

Summary

New vulnerabilities found in some Schneider Electric products – which can also be integrated into SCADA solutions – five of which have a “high” severity.

Risk

Estimate of the vulnerability’s impact on the reference community: High (69.83)

Type

• Arbitrary Code Execution
• Denial of Service
• Information Disclosure

Affected products and/or versions

Schneider Electric

• Enerlin’X IFE interface
• EcoStruxure Process Expert for AVEVA System
• Uni-Telway driver
• ASCO 5310 Single-Channel Remote Annunciator
• ASCO 5350 Eight Channel Remote Annunciator
• EcoStruxure Process Expert
• EcoStruxure Process Expert 2023
• Enerlin’X eIFE
• OPC Factory Server
• EcoStruxure Process Expert for AVEVA System Platform
• EcoStruxure Control Expert

Mitigation Actions

In line with vendor statements, it is recommended to apply the available mitigations following the indications reported in the security bulletins in the References section.

The following are the CVEs related to the vulnerabilities with a severity of “high”:

Referencias

https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp:

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-042-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2025-042-01.pdf

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-042-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2025-042-02.pdf

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-042-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2025-042-03.pdf

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-042-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2025-042-04.pdf

¹This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.