Schneider Electric has released a security notification detailing a critical vulnerability in the WebHMI component used in its EcoStruxure Power Automation System User Interface and EcoStruxure Microgrid Operation Large (EMO-L) solution.
The advisory highlights the potential for unauthorized access to the underlying software application running WebHMI if the provided remediations are not applied.
The vulnerability, identified as CVE-2025-1960, has been assigned a CVSS v3.1 base score of 9.8, indicating a critical severity. The vulnerability is described as an “Initialization of a Resource with an Insecure Default” vulnerability. This flaw could allow an attacker to execute unauthorized commands when a system’s default password credentials have not been changed on first use. The default username is not displayed correctly in the WebHMI interface.
The vulnerability affects the following products and versions:
- WebHMI – Deployed with EcoStruxure Power Automation System: WebHMI v4.1.0.0 and prior when deployed with EPAS User Interface 2.6.30.19 and prior.
It’s important to note that EMO-L is based on the EcoStruxure Power Automation System solution (EPAS), and EMO-L customers using the specified versions are also affected.
Schneider Electric has provided a hotfix, WebHMI_Fix_users_for_Standard.V1, to address CVE-2025-1960. Customers can obtain this hotfix from the Schneider Electric Customer Care Center.
In addition to applying the hotfix, Schneider Electric strongly recommends the following mitigations to reduce the risk of exploitation:
- Once the hotfix has been applied, ensure that all hardening guidelines provided with the product are implemented to maintain best practices for defense-in-depth.
- Specifically, the WebHMI should not be exposed to the internet. Contact the Customer Care Center for assistance if required.
Schneider Electric also provides the following general cybersecurity best practices:
- Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
- Install physical controls to prevent unauthorized personnel from accessing industrial control and safety systems.
- Place all controllers in locked cabinets and never leave them in “Program” mode.
- Never connect programming software to any network other than the network intended for that device.
- Scan all methods of mobile data exchange with the isolated network, such as CDs and USB drives, before use.
- Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
- Minimize network exposure for all control system devices and systems and ensure they are not accessible from the Internet.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs).
- Recognize that VPNs may have vulnerabilities and should be updated to the most current version available.
- Understand that VPNs are only as secure as the connected devices.
Related Posts:
- CVE-2024-10575 (CVSS 10): Critical Flaw in Schneider Electric’s EcoStruxure IT Gateway
- Schneider Electric Warns of Multiple Vulnerabilities in Modicon Controllers
- Schneider Electric Fixes 16 security flaws on U.motion Builder software
- Schneider PLC exposes high-risk vulnerability allowing hackers to initiate remote attacks
- Broadcom Urges Immediate Patching for Critical Symantec PAM Vulnerabilities
