Summary
Schneider Electric is aware of a vulnerability in its EcoStruxureTM Process and EcoStruxure™ Process Expert for AVEVA System Platform products. The EcoStruxureTM Process is a single automation system to engineer, operate, and maintain your entire infrastructure for a sustainable, productive and market-agile plant. The EcoStruxure™ Process Expert for AVEVA System Platform product enables users to achieve operational profitability from design engineering to meeting the demands of modern-day production. It provides an asset centric and object-oriented automation platform to deploy system-wide standards in a digital ecosystem. Failure to apply the Fix/Mitigations provided below may risk modification of the executable binaries, which could result in privilege escalation.
The following versions of Schneider Electric are affected:
- EcoStruxure™ Process Expert (CVE-2025-13905)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 7.3 | Schneider Electric | Schneider Electric EcoStruxure Process Expert | Incorrect Default Permissions |
Background
- Critical Infrastructure Sectors: Critical Manufacturing, Energy, Commercial Facilities
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: France
Vulnerabilities
CVE-2025-13905
CWE-276 : Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executable service binaries are modified in the installation folder by a local user with normal privilege upon service restart.
Affected Products
Schneider Electric
Read the original article: