Critical Remote Code Execution in Schneider Electric EcoStruxure Data Center Expert (CVE‑2025‑13957) Hard‑coded Password Threatens Data Center Ops
What It Is – A remote code execution (RCE) flaw in Schneider Electric’s EcoStruxure Data Center Expert stems from hard‑coded PostgreSQL credentials. An attacker who can authenticate to the service can execute arbitrary code with the privileges of the service account.
Exploitability – The vulnerability is actively exploitable; authentication is required but the hard‑coded password makes credential acquisition trivial. A proof‑of‑concept has been published by the Zero Day Initiative. CVSS v3.1 base score 8.8 (Critical).
Affected Products – Schneider Electric – EcoStruxure Data Center Expert (all versions prior to the March 2026 security update).
TPRM Impact –
- Compromise of a data‑center management platform can cascade to downstream SaaS, cloud, and on‑premise services that rely on its APIs.
- RCE may expose sensitive configuration data, network topology, and credentials for connected OT/IT assets, creating a supply‑chain foothold.
- Service disruption can affect customers across multiple industries that outsource data‑center operations to Schneider‑managed facilities.
Recommended Actions –
- Patch immediately – Deploy Schneider Electric’s security bulletin SEVD‑2026‑069‑05.
- Restrict network access – Block inbound traffic to TCP 5432 from untrusted networks; enforce firewall rules and VPN‑only access.
- Rotate credentials – Replace any default or hard‑coded PostgreSQL passwords with strong, unique secrets; audit for other hard‑coded credentials.
- Monitor for abuse – Enable logging of PostgreSQL authentication attempts and set alerts for anomalous activity.
- Review third‑party contracts – Verify that any service providers using EcoStruxure have applied the patch and hardened their connections.