Hard‑Coded Credentials in Schneider Electric EcoStruxure Data Center Expert (CVE‑2025‑13957) Enable Remote Code Execution
What It Is – Schneider Electric’s EcoStruxure IT Data Center Expert (DCE) contains a hard‑coded administrator password. When the optional SOCKS Proxy feature (disabled by default) is enabled, an attacker can authenticate with the built‑in credentials and execute code remotely.
Exploitability – The vulnerability is publicly disclosed (CVE‑2025‑13957) with a CVSS v3.1 score of 7.2 (High). No public exploit code has been observed, but the attack requires only network access to the DCE service and the feature to be turned on, making exploitation feasible in poorly‑hardened environments.
Affected Products – Schneider Electric EcoStruxure IT Data Center Expert versions ≤ 9.0 and version 9.1.
TPRM Impact – Organizations that rely on Schneider Electric for data‑center monitoring (including commercial facilities, energy, government, and transportation) may face unauthorized disclosure of device inventories, configuration data, and potential disruption of critical operations if an attacker gains remote code execution. The flaw propagates through supply‑chain dependencies where third‑party service providers host or manage Schneider’s monitoring platform.
Recommended Actions –
- Apply Schneider’s remediation patch immediately (see CISA advisory).
- Disable the SOCKS Proxy feature if it is not required for business operations.
- Conduct a credential audit to ensure no default accounts remain active on any deployed DCE instances.
- Verify network segmentation so that DCE management interfaces are not exposed to untrusted zones.
- Update third‑party risk registers to reflect the elevated risk for any vendors that embed or outsource DCE monitoring.
Source: CISA Advisory – ICSA‑26‑076‑03