Critical Vulnerability in Schneider Electric EcoStruxure PME/EPO Enables Local Arbitrary Code Execution
What Happened — Schneider Electric disclosed a high‑severity vulnerability (CVSS v3 7.8) in its on‑premises EcoStruxure Power Monitoring Expert (PME) and Power Operation (EPO) software. The flaw permits local arbitrary code execution, potentially allowing an attacker to compromise the host system, disrupt operations, or gain unauthorized administrative control. A patch is available for all listed versions.
Why It Matters for TPRM —
- Unpatched OT/ICS platforms can become an entry point for lateral movement into critical infrastructure.
- Exploitation could cause production downtime, safety incidents, or loss of sensitive operational data.
- Vendor‑managed software often resides in third‑party environments; failure to patch reflects weak security hygiene.
Who Is Affected — Energy & Utilities, Manufacturing, Critical Infrastructure, and any organization that relies on Schneider Electric’s EcoStruxure PME/EPO for power monitoring and control.
Recommended Actions —
- Inventory all Schneider Electric EcoStruxure PME and EPO installations and verify version numbers.
- Apply the Schneider‑provided hot‑fixes/patches immediately.
- Validate that endpoint hardening and least‑privilege controls are enforced on the affected hosts.
- Incorporate patch‑management verification into third‑party risk assessments and continuous monitoring.
Technical Notes — The vulnerability is a local code‑execution flaw exploitable without network access, rated CVSS 7.8 (High). Affected versions span PME 2022‑2024 (including R2 releases) and EPO modules up to 2024. No public CVE identifier was listed in the advisory. Source: CISA Advisory – ICSA‑26‑078‑04