Multiple vulnerabilities in Schneider Electric Trio Q Licensed Data Radio
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2025-2440 CVE-2025-2441 CVE-2025-2442 |
| CWE-ID | CWE-922 CWE-1188 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Trio Q Licensed Data Radio Hardware solutions / Firmware |
| Vendor | Schneider Electric |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Insecure Storage of Sensitive Information
EUVDB-ID: #VU107644
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-2440
CWE-ID:
CWE-922 - Insecure Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to insecure storage of sensitive information. An attacker with physical access can set the radio to factory default mode and gain access to confidential data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTrio Q Licensed Data Radio: before 2.7.2
CPE2.3 External linkshttps://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-098-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-098-02.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-25-107-01
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Insecure Default Initialization of Resource
EUVDB-ID: #VU107645
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-2441
CWE-ID:
CWE-1188 - Insecure Default Initialization of Resource
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to insecure default initialization of resource. An attacker with physical access can set the radio to factory default mode and cause the target product to not correctly initialize all data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTrio Q Licensed Data Radio: before 2.7.2
CPE2.3 External linkshttps://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-098-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-098-02.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-25-107-01
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Insecure Default Initialization of Resource
EUVDB-ID: #VU107654
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-2442
CWE-ID:
CWE-1188 - Insecure Default Initialization of Resource
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to insecure default initialization of resource. An attacker with physical access can set the radio to factory default mode and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsTrio Q Licensed Data Radio: before 2.7.2
CPE2.3 External linkshttps://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-098-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-098-02.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-25-107-01
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
