Critical Vulnerabilities Found in Schneider Electric’s EcoStruxure IT Data Center Expert
Do Son 
Schneider Electric has issued a high-severity security advisory disclosing multiple vulnerabilities affecting its flagship infrastructure management platform, EcoStruxure IT Data Center Expert (DCE), version 8.3 and prior. The issues, if left unpatched, could lead to unauthorized access, remote code execution, privilege escalation, and even potential disruption of critical data center operations.
The advisory opens with a warning:
“Failure to apply the remediation provided below may risk information disclosure, and remote compromise of the offer which could result in disruption of operations and access to system data.”
Breakdown of the Vulnerabilities
- CVE-2025-50121 (CVSS v3.1 Score: 10.0) — OS Command Injection
This vulnerability stems from improper neutralization of special elements in OS commands, leading to unauthenticated remote code execution when a malicious folder is created via the web interface. Although the HTTP interface is disabled by default, if enabled, this poses a serious threat. - CVE-2025-50122 (CVSS v3.1 Score: 8.3) — Insufficient Entropy
The flaw involves weak randomness in root password generation. If attackers obtain installation or upgrade files, they could reverse engineer the algorithm and gain root access. - CVE-2025-50123 (CVSS v3.1 Score: 7.2 ) — Code Injection
A code injection vulnerability that allows privileged users to execute arbitrary commands via hostname input when accessing the server console. - CVE-2025-50125 (CVSS v3.1 Score: 7.2) — Server-Side Request Forgery (SSRF)
This vulnerability could be exploited to execute remote code without authentication by manipulating hidden URLs and HTTP headers. - CVE-2025-50124 (CVSS v3.1 Score: 6.9) — Improper Privilege Management
This issue allows privilege escalation through a setup script by a user already holding elevated access via the console. - CVE-2025-6438 (CVSS v3.1 Score: 6.8) — XML External Entity (XXE) Injection
Attackers could exploit SOAP API calls to inject malicious XML entities and gain unauthorized file access.
Immediate Remediation Recommended
Schneider Electric recommends upgrading to EcoStruxure IT Data Center Expert version 9.0, which includes fixes for all the vulnerabilities mentioned.
Customers who cannot apply the update immediately should:
- Harden their instance using best practices from the EcoStruxure IT DCE Security Handbook,
- Isolate critical systems from the business network,
- Apply strict access controls,
- Disable unnecessary services,
- And use up-to-date secure VPNs for remote access.
Related Posts:
- CVE-2024-10575 (CVSS 10): Critical Flaw in Schneider Electric’s EcoStruxure IT Gateway
- CVE-2025-1960 (CVSS 9.8): Schneider Electric Addresses Critical Flaw in WebHMI Component
- Schneider Electric Warns of Multiple Vulnerabilities in Modicon Controllers
- Critical Ghostscript Vulnerability Exposes Systems: Immediate Update Recommended
- CVE-2024-44102 (CVSS 10) Found in Siemens TeleControl Server Basic: Urgent Update Required
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
