Vulnerabilites related to Schneider Electric - EcoStruxure Enterprise Server
CVE-2025-8448 (GCVE-0-2025-8448)
Vulnerability from cvelistv5
Published
2025-08-20 13:58
Modified
2025-09-09 20:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause unauthorized access to sensitive credential data when an attacker is able to capture local SMB traffic between a valid user within the BMS network and the vulnerable products.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Schneider Eelctric | EcoStruxure Building Operation Enterprise Server |
Version: All 7.x versions Version: All 6.x versions Version: All 5.x versions |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T15:51:48.499459Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:51:53.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Building Operation Enterprise Server",
"vendor": "Schneider Eelctric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "affected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "affected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Enterprise Server",
"vendor": "Schneider Electric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "affected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "affected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Building Operation Workstation",
"vendor": "Schneider Eelctric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "affected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "affected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause unauthorized access to sensitive credential data when an attacker is able to capture local SMB traffic between a valid user within the BMS network and the vulnerable products."
}
],
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause unauthorized access to sensitive credential data when an attacker is able to capture local SMB traffic between a valid user within the BMS network and the vulnerable products."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 1,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T20:55:43.384Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-04.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-8448",
"datePublished": "2025-08-20T13:58:53.818Z",
"dateReserved": "2025-07-31T21:02:43.599Z",
"dateUpdated": "2025-09-09T20:55:43.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8449 (GCVE-0-2025-8449)
Vulnerability from cvelistv5
Published
2025-08-20 13:55
Modified
2025-09-09 20:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service when an authenticated user sends a specially crafted request to a specific endpoint from within the BMS network.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Schnieder Electric | EcoStruxure Building Operation Enterprise Server |
Version: All 7.x versions Version: All 5.x versions |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8449",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T17:10:39.552635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T17:10:46.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Building Operation Enterprise Server",
"vendor": "Schnieder Electric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "affected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "unaffected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Enterprise Server",
"vendor": "Schneider Electric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "unaffected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "affected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EcoStruxure Building Operation Workstation",
"vendor": "Schneider Eelctric",
"versions": [
{
"lessThan": "7.0.2.348",
"status": "affected",
"version": "All 7.x versions",
"versionType": "version"
},
{
"lessThan": "6.0.4.10001 (CP8)",
"status": "affected",
"version": "All 6.x versions",
"versionType": "version"
},
{
"lessThan": "5.0.3.17009 (CP16)",
"status": "affected",
"version": "All 5.x versions",
"versionType": "version"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service when an authenticated user sends a specially crafted request to a specific endpoint from within the BMS network."
}
],
"value": "CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service when an authenticated user sends a specially crafted request to a specific endpoint from within the BMS network."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T20:50:55.766Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-224-04.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2025-8449",
"datePublished": "2025-08-20T13:55:34.397Z",
"dateReserved": "2025-07-31T21:02:44.262Z",
"dateUpdated": "2025-09-09T20:50:55.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}