Schneider Electric
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Schneider Electric product.
RSS Feeds for Schneider Electric security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Schneider Electric products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Schneider Electric Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2025 there have been 0 vulnerabilities in Schneider Electric. Last year, in 2024 Schneider Electric had 16 security vulnerabilities published. Right now, Schneider Electric is on track to have less security vulnerabilities in 2025 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 16 | 7.69 |
2023 | 65 | 8.22 |
2022 | 49 | 7.88 |
2021 | 38 | 7.43 |
2020 | 48 | 7.80 |
2019 | 18 | 7.46 |
2018 | 61 | 6.75 |
It may take a day or so for new Schneider Electric vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Schneider Electric Security Vulnerabilities
Missing Authorization Vulnerability in Cisco IOS XE Software
CVE-2024-10575
9.8 - Critical
- November 13, 2024
CWE-862: Missing Authorization vulnerability exists that could cause unauthorized access when enabled on the network and potentially impacting connected devices.
AuthZ
CWE-416: Use After Free vulnerability exists
CVE-2024-8422
7.8 - High
- October 08, 2024
CWE-416: Use After Free vulnerability exists that could cause arbitrary code execution, denial of service and loss of confidentiality & integrity when application user opens a malicious Zelio Soft 2 project file.
Dangling pointer
CWE-269: Improper Privilege Management vulnerability exists
CVE-2024-8306
7.8 - High
- September 11, 2024
CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity and availability of the workstation when non-admin authenticated user tries to perform privilege escalation by tampering with the binaries.
Improper Privilege Management
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability exists
CVE-2024-2602
7.8 - High
- July 11, 2024
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could result in remote code execution when an authenticated user executes a saved project file that has been tampered by a malicious actor.
Directory traversal
CWE-787: Out-of-Bounds Write vulnerability exists
CVE-2024-5679
7.1 - High
- July 11, 2024
CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, or kernel memory leak when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
Memory Corruption
CWE-129: Improper Validation of Array Index vulnerability exists
CVE-2024-5680
5.5 - Medium
- July 11, 2024
CWE-129: Improper Validation of Array Index vulnerability exists that could cause local denial-of-service when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
out-of-bounds array index
CWE-20: Improper Input Validation vulnerability exists
CVE-2024-5681
7.8 - High
- July 11, 2024
CWE-20: Improper Input Validation vulnerability exists that could cause local denial-of-service, privilege escalation, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
Improper Input Validation
CWE-428: Unquoted search path or element vulnerability exists in Easergy Studio
CVE-2024-2747
7.8 - High
- June 12, 2024
CWE-428: Unquoted search path or element vulnerability exists in Easergy Studio, which could cause privilege escalation when a valid user replaces a trusted file name on the system and reboots the machine.
Unquoted Search Path or Element
CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists
CVE-2024-5559
6.8 - Medium
- June 12, 2024
CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists that could cause denial of service, device reboot, or an attacker gaining full control of the relay when a specially crafted reset token is entered into the front panel of the device.
Use of a Broken or Risky Cryptographic Algorithm
CWE-798: Use of hard-coded credentials vulnerability exists
CVE-2024-0865
7.8 - High
- June 12, 2024
CWE-798: Use of hard-coded credentials vulnerability exists that could cause local privilege escalation when logged in as a non-administrative user.
Use of Hard-coded Credentials
CWE-787: Out-of-bounds Write vulnerability exists
CVE-2024-37036
9.8 - Critical
- June 12, 2024
CWE-787: Out-of-bounds Write vulnerability exists that could result in an authentication bypass when sending a malformed POST request and particular configuration parameters are set.
Memory Corruption
CWE-668: Exposure of the Resource Wrong Sphere vulnerability exists that exposes a SSH
interface over the product network interface
CVE-2024-5313
6.5 - Medium
- June 12, 2024
CWE-668: Exposure of the Resource Wrong Sphere vulnerability exists that exposes a SSH interface over the product network interface. This does not allow to directly exploit the product or make any unintended operation as the SSH interface access is protected by an authentication mechanism. Impacts are limited to port scanning and fingerprinting activities as well as attempts to perform a potential denial of service attack on the exposed SSH interface.
Exposure of Resource to Wrong Sphere
CWE-924: Improper Enforcement of Message Integrity During Transmission in a
Communication Channel vulnerability exists
CVE-2023-6408
8.1 - High
- February 14, 2024
CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause a denial of service and loss of confidentiality, integrity of controllers when conducting a Man in the Middle attack.
Improper Enforcement of Message Integrity During Transmission in a Communication Channel
CWE-522: Insufficiently Protected Credentials vulnerability exists
CVE-2023-27975
7.1 - High
- February 14, 2024
CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized access to the project file in EcoStruxure Control Expert when a local user tampers with the memory of the engineering workstation.
Insufficiently Protected Credentials
CWE-798: Use of Hard-coded Credentials vulnerability exists
CVE-2023-6409
7.7 - High
- February 14, 2024
CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to a project file protected with application password when opening the file with EcoStruxure Control Expert.
Use of Hard-coded Credentials
A CWE-502: Deserialization of untrusted data vulnerability exists
CVE-2023-7032
7.8 - High
- January 09, 2024
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker logged in with a user level account to gain higher privileges by providing a harmful serialized object.
Marshaling, Unmarshaling
A CWE-601 URL Redirection to Untrusted Site vulnerability exists
CVE-2023-5986
6.1 - Medium
- November 15, 2023
A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input attackers can cause the softwares web application to redirect to the chosen domain after a successful login is performed.
Open Redirect
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
vulnerability
CVE-2023-5987
6.1 - Medium
- November 15, 2023
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability that could cause a vulnerability leading to a cross site scripting condition where attackers can have a victims browser run arbitrary JavaScript when they visit a page containing the injected payload.
A CWE-502: Deserialization of untrusted data vulnerability exists
CVE-2023-5391
9.8 - Critical
- October 04, 2023
A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.
Marshaling, Unmarshaling
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability exists
CVE-2023-5399
9.8 - Critical
- October 04, 2023
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause tampering of files on the personal computer running C-Bus when using the File Command.
Directory traversal
A CWE-269: Improper Privilege Management vulnerability exists
CVE-2023-5402
9.8 - Critical
- October 04, 2023
A CWE-269: Improper Privilege Management vulnerability exists that could cause a remote code execution when the transfer command is used over the network.
Improper Privilege Management
A CWE-306: Missing Authentication for Critical Function vulnerability exists in the IGSS Update
Service
CVE-2023-4516
7.8 - High
- September 14, 2023
A CWE-306: Missing Authentication for Critical Function vulnerability exists in the IGSS Update Service that could allow a local attacker to change update source, potentially leading to remote code execution when the attacker force an update containing malicious content.
Missing Authentication for Critical Function
A CWE-119: Improper Restriction of Operations within the Bounds of a Memory
Buffer vulnerability exists
CVE-2023-3953
5.3 - Medium
- August 09, 2023
A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause memory corruption when an authenticated user opens a tampered log file from GP-Pro EX.
Buffer Overflow
A CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow) vulnerability
exists
CVE-2023-29414
7.8 - High
- July 12, 2023
A CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow) vulnerability exists that could cause user privilege escalation if a local user sends specific string input to a local function call.
Classic Buffer Overflow
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists
CVE-2023-37199
7.2 - High
- July 12, 2023
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored.
Code Injection
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command
('SQL Injection') vulnerability exists
CVE-2023-37196
8.8 - High
- July 12, 2023
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the alert settings of endpoints on DCE.
SQL Injection
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command
('SQL Injection') vulnerability exists
CVE-2023-37197
8.8 - High
- July 12, 2023
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the mass configuration settings of endpoints on DCE.
SQL Injection
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists
CVE-2023-37198
7.2 - High
- July 12, 2023
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages.
Code Injection
A CWE-787: Out-of-Bounds Write vulnerability exists
CVE-2023-2569
7.8 - High
- June 14, 2023
A CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, elevation of privilege, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
Memory Corruption
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists
CVE-2023-1049
7.8 - High
- June 14, 2023
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause execution of malicious code when an unsuspicious user loads a project file from the local filesystem into the HMI.
Code Injection
A CWE-129: Improper Validation of Array Index vulnerability exists
CVE-2023-2570
7.8 - High
- June 14, 2023
A CWE-129: Improper Validation of Array Index vulnerability exists that could cause local denial-of-service, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an unpredictable index to an IOCTL call in the Foxboro.sys driver.
out-of-bounds array index
A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module
CVE-2023-3001
7.8 - High
- June 14, 2023
A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to remote code execution when an attacker gets the user to open a malicious file.
Marshaling, Unmarshaling
A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists
CVE-2023-2161
5.5 - Medium
- May 16, 2023
A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user.
XXE
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS
Command Injection') vulnerability exists
CVE-2023-25554
7.8 - High
- April 18, 2023
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that allows a local privilege escalation on the appliance when a maliciously crafted Operating System command is entered on the device. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
Shell injection
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS
Command Injection') vulnerability exists
CVE-2023-25555
8.1 - High
- April 18, 2023
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow a user that knows the credentials to execute unprivileged shell commands on the appliance over SSH. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
Shell injection
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the
webserver
CVE-2023-25553
6.1 - Medium
- April 18, 2023
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the webserver. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
XSS
A CWE-862: Missing Authorization vulnerability exists
CVE-2023-25552
8.1 - High
- April 18, 2023
A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized content, changes or deleting of content, or performing unauthorized functions when tampering the Device File Transfer settings on DCE endpoints. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
AuthZ
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters
over HTTP
CVE-2023-25551
6.1 - Medium
- April 18, 2023
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
XSS
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists
CVE-2023-25550
9.8 - Critical
- April 18, 2023
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows remote code execution via the hostname parameter when maliciously crafted hostname syntax is entered. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
Code Injection
A CWE-863: Incorrect Authorization vulnerability exists
CVE-2023-25548
6.5 - Medium
- April 18, 2023
A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device credentials on specific DCE endpoints not being properly secured when a hacker is using a low privileged user. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
AuthZ
A CWE-613: Insufficient Session Expiration vulnerability exists
CVE-2023-28003
8.8 - High
- April 18, 2023
A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain unauthorized access over a hijacked session in PME after the legitimate user has signed out of their account.
Insufficient Session Expiration
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists
CVE-2023-25549
9.8 - Critical
- April 18, 2023
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows for remote code execution when using a parameter of the DCE network settings endpoint. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
Code Injection
A CWE-863: Incorrect Authorization vulnerability exists
CVE-2023-25547
8.8 - High
- April 18, 2023
A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
AuthZ
A CWE-427 - Uncontrolled Search Path Element vulnerability exists
CVE-2022-34755
6.7 - Medium
- April 18, 2023
A CWE-427 - Uncontrolled Search Path Element vulnerability exists that could allow an attacker with a local privileged account to place a specially crafted file on the target machine, which may give the attacker the ability to execute arbitrary code during the installation process initiated by a valid user. Affected Products: Easergy Builder Installer (1.7.23 and prior)
DLL preloading
A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists
CVE-2023-27976
8.8 - High
- April 18, 2023
A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause remote code execution when a valid user visits a malicious link provided through the web endpoints. Affected Products: EcoStruxure Control Expert (V15.1 and above)
Exposure of Resource to Wrong Sphere
A CWE-269: Improper Privilege Management vulnerability exists
CVE-2023-1548
5.5 - Medium
- April 18, 2023
A CWE-269: Improper Privilege Management vulnerability exists that could cause a local user to perform a denial of service through the console server service that is part of EcoStruxure Control Expert. Affected Products: EcoStruxure Control Expert (V15.1 and above)
Improper Privilege Management
A CWE-306: Missing Authentication for Critical Function vulnerability exists in the Data Server TCP interface
CVE-2023-27983
5.3 - Medium
- March 21, 2023
A CWE-306: Missing Authentication for Critical Function vulnerability exists in the Data Server TCP interface that could allow deletion of reports from the IGSS project report directory, this would lead to loss of data when an attacker abuses this functionality. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).
Missing Authentication for Critical Function
A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server
CVE-2023-27979
6.5 - Medium
- March 21, 2023
A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could allow the renaming of files in the IGSS project report directory, this could lead to denial of service when an attacker sends specific crafted messages to the Data Server TCP port. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).
Insufficient Verification of Data Authenticity
A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server
CVE-2023-27977
5.3 - Medium
- March 21, 2023
A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause access to delete files in the IGSS project report directory, this could lead to loss of data when an attacker sends specific crafted messages to the Data Server TCP port. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).
Insufficient Verification of Data Authenticity
A CWE-20: Improper Input Validation vulnerability exists in Custom Reports
CVE-2023-27984
8.8 - High
- March 21, 2023
A CWE-20: Improper Input Validation vulnerability exists in Custom Reports that could cause a macro to be executed, potentially leading to remote code execution when a user opens a malicious report file planted by an attacker. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).
Improper Input Validation