Schneider Electric has disclosed multiple critical security vulnerabilities in its EcoStruxure IT Data Center Expert software that could allow attackers to execute remote commands and compromise data center operations.
The vulnerabilities, affecting all versions 8.3 and prior of the monitoring software, include a maximum severity command injection flaw that received a perfect CVSS score of 10.0, indicating the highest possible risk level.
The most severe vulnerability, designated CVE-2025-50121, represents an OS command injection flaw that enables unauthenticated remote code execution.
This critical weakness occurs when malicious actors create specially crafted folders through the web interface when HTTP access is enabled.
While HTTP is disabled by default, organizations that have enabled this feature face an immediate risk of complete system compromise.
Security researchers Jaggar Henry and Jim Becher from KoreLogic, Inc. discovered and reported the vulnerabilities to Schneider Electric.
Their investigation uncovered six distinct security flaws that collectively expose data center infrastructure to various attack vectors.
The EcoStruxure IT Data Center Expert software serves as a centralized monitoring platform that collects and distributes critical device information across data center environments, making it a high-value target for cybercriminals.
Beyond the command injection vulnerability, the discovered flaws include CVE-2025-50122, an insufficient entropy weakness that could allow attackers to reverse-engineer root password generation algorithms by accessing installation artifacts.
This high-severity vulnerability carries a CVSS score of 8.3 and requires physical or network access to installation materials.
Additional vulnerabilities include CVE-2025-50123, a code injection flaw that can be exploited through hostname input manipulation via console access, and CVE-2025-50125, a server-side request forgery (SSRF) vulnerability that enables unauthenticated remote code execution through manipulation of host request headers and knowledge of hidden URLs.
Two medium-severity vulnerabilities round out the disclosure: CVE-2025-50124 addresses improper privilege management, and CVE-2025-6438 involves XML external entity injection risks.
Schneider Electric has released version 9.0 of EcoStruxure IT Data Center Expert to address all identified vulnerabilities.
The company strongly recommends an immediate upgrade for all affected installations, which can be obtained through Schneider Electric’s Customer Care Center.
Organizations should implement proper testing procedures and backup strategies before applying updates to production systems.
For customers unable to immediately upgrade, Schneider Electric recommends implementing the cybersecurity best practices outlined in the EcoStruxure IT Data Center Expert Security Handbook.
These include network segmentation, firewall implementation, physical access controls, and restriction of internet connectivity for control systems.
The company emphasizes that failure to apply remediation could result in the disclosure of sensitive information, system compromise, and operational disruption of critical data center infrastructure.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…