Schneider Electric Security Flaws Allow OS Command Injection by Attackers

Schneider Electric has disclosed multiple critical security vulnerabilities in its EcoStruxure IT Data Center Expert software that could allow attackers to execute remote commands and compromise data center operations.

The vulnerabilities, affecting all versions 8.3 and prior of the monitoring software, include a maximum severity command injection flaw that received a perfect CVSS score of 10.0, indicating the highest possible risk level.

Critical Vulnerabilities Discovered in Data Center Software

The most severe vulnerability, designated CVE-2025-50121, represents an OS command injection flaw that enables unauthenticated remote code execution.

This critical weakness occurs when malicious actors create specially crafted folders through the web interface when HTTP access is enabled.

While HTTP is disabled by default, organizations that have enabled this feature face an immediate risk of complete system compromise.

Security researchers Jaggar Henry and Jim Becher from KoreLogic, Inc. discovered and reported the vulnerabilities to Schneider Electric.

Their investigation uncovered six distinct security flaws that collectively expose data center infrastructure to various attack vectors.

The EcoStruxure IT Data Center Expert software serves as a centralized monitoring platform that collects and distributes critical device information across data center environments, making it a high-value target for cybercriminals.

Technical Details and Attack Vectors

Beyond the command injection vulnerability, the discovered flaws include CVE-2025-50122, an insufficient entropy weakness that could allow attackers to reverse-engineer root password generation algorithms by accessing installation artifacts.

This high-severity vulnerability carries a CVSS score of 8.3 and requires physical or network access to installation materials.

Additional vulnerabilities include CVE-2025-50123, a code injection flaw that can be exploited through hostname input manipulation via console access, and CVE-2025-50125, a server-side request forgery (SSRF) vulnerability that enables unauthenticated remote code execution through manipulation of host request headers and knowledge of hidden URLs.

Two medium-severity vulnerabilities round out the disclosure: CVE-2025-50124 addresses improper privilege management, and CVE-2025-6438 involves XML external entity injection risks.

Remediation and Security Recommendations

Schneider Electric has released version 9.0 of EcoStruxure IT Data Center Expert to address all identified vulnerabilities.

The company strongly recommends an immediate upgrade for all affected installations, which can be obtained through Schneider Electric’s Customer Care Center.

Organizations should implement proper testing procedures and backup strategies before applying updates to production systems.

For customers unable to immediately upgrade, Schneider Electric recommends implementing the cybersecurity best practices outlined in the EcoStruxure IT Data Center Expert Security Handbook.

These include network segmentation, firewall implementation, physical access controls, and restriction of internet connectivity for control systems.

The company emphasizes that failure to apply remediation could result in the disclosure of sensitive information, system compromise, and operational disruption of critical data center infrastructure.