Multiple flaws in Schneider Electric EcoStruxure IT Data Center Expert, at least one critical
Take action: If you have Schneider Electric EcoStruxure IT Data Center Expert, make sure it's isolated from the internet and accesible from trusted networks only. Then plan an update cycle to version 9.0 available through Schneider's Customer Care Center with proper testing.
Learn More
Schneider Electric has disclosed multiple critical security vulnerabilities affecting its widely deployed EcoStruxure IT Data Center Expert (DCE) platform, a monitoring software for industrial environment infrastructure.
Vulnerabilities summary:
- CVE-2025-50121 (CVSS score 10.0) - A OS command injection vulnerability caused by improper neutralization of special elements used in operating system commands. Enables unauthenticated remote code execution when malicious folders are created via the web interface. It requires HTTP to be enabled, which is disabled by default.
- CVE-2025-50122 (CVSS score 8.3) - Insufficient entropy vulnerability that could allow root password discovery when attackers reverse-engineer the password generation algorithm with access to installation or upgrade artifacts.
- CVE-2025-50123 (CVSS score 7.2) - Code injection vulnerability that enables remote command execution by privileged accounts when the server is accessed via console.
- CVE-2025-50125 (CVSS score 7.2) - A server-side request forgery (SSRF) vulnerability that could cause unauthenticated remote code execution when attackers access the server via the network with knowledge of hidden URLs and manipulation of host request headers.
- CVE-2025-50124 (CVSS score 6.9) - An improper privilege management vulnerability that could enable privilege escalation when privileged accounts access the server via console through exploitation of setup scripts.
- CVE-2025-6438 (CVSS score 6.8) - An XML External Entity (XXE) injection vulnerability that allows manipulation of SOAP API calls and injection of malicious XML entities, resulting in unauthorized file access when the server is accessed via network using application accounts.
The vulnerabilities, affect versions 8.3 and prior of EcoStruxure IT Data Center Expert.
Schneider Electric has released version 9.0 of EcoStruxure IT Data Center Expert to patch the vulnerabilities. It is available through the company's Customer Care Center. Schneider Electric recommends immediate upgrades, with backup procedures and testing in development environments before production deployment. For organizations requiring assistance with the upgrade process, Schneider Electric's Customer Care Center provides specialized support services.
