Improper Privilege Management Vulnerability in Schneider Electric Services
CVE-2025-0327

8.5HIGH

Key Information:

Vendor: Schneider Electric
Status: Ecostruxure Process Expert; Ecostruxure Process Expert For Aveva System Platform
Vendor: CVE Published:; 13 February 2025

Summary

An improper privilege management vulnerability has been identified in Schneider Electric services, specifically in the services that manage audit trail data and client requests. This flaw allows an attacker with standard user privileges to modify the executable path of these Windows services. Exploiting this vulnerability requires a service restart, which can lead to significant risks involving the confidentiality, integrity, and availability of the engineering workstation involved.

Affected Version(s)

EcoStruxure Process Expert Versions 2020R2

EcoStruxure Process Expert Versions 2021 & 2023 (prior to v4.8.0.5715)

EcoStruxure Process Expert for AVEVA System Platform Versions 2020R2

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 13, 2025
Vulnerability Reserved
Jan 8, 2025