#VU105860 Insecure Default Initialization of Resource in EcoStruxure Power Automation System - CVE-2025-1960

Cybersecurity Help s.r.o.

Published: 2025-03-19

Vulnerability identifier: #VU105860

Vulnerability risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-1960

CWE-ID: CWE-1188

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
EcoStruxure Power Automation System
Server applications / SCADA systems

Vendor: Schneider Electric

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insecure default initialization of resource. A remote attacker can execute arbitrary commands when a system's default password credentials have not been changed on first use.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

EcoStruxure Power Automation System: 2.6.30.19

External links
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-070-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-070-03.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-25-077-03

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Insecure Default Initialization of Resource in Schneider Electric EcoStruxure Power Automation System