Schneider Electric Schneider Electric

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Schneider Electric product.

RSS Feeds for Schneider Electric security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Schneider Electric products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Schneider Electric Sorted by Most Security Vulnerabilities since 2018

By the Year

In 2025 there have been 0 vulnerabilities in Schneider Electric. Last year, in 2024 Schneider Electric had 16 security vulnerabilities published. Right now, Schneider Electric is on track to have less security vulnerabilities in 2025 than it did last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 16 7.69
2023 65 8.22
2022 49 7.88
2021 38 7.43
2020 48 7.80
2019 18 7.46
2018 61 6.75

It may take a day or so for new Schneider Electric vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Schneider Electric Security Vulnerabilities

Missing Authorization Vulnerability in Cisco IOS XE Software

CVE-2024-10575 9.8 - Critical - November 13, 2024

CWE-862: Missing Authorization vulnerability exists that could cause unauthorized access when enabled on the network and potentially impacting connected devices.

AuthZ

CWE-416: Use After Free vulnerability exists

CVE-2024-8422 7.8 - High - October 08, 2024

CWE-416: Use After Free vulnerability exists that could cause arbitrary code execution, denial of service and loss of confidentiality & integrity when application user opens a malicious Zelio Soft 2 project file.

Dangling pointer

CWE-269: Improper Privilege Management vulnerability exists

CVE-2024-8306 7.8 - High - September 11, 2024

CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity and availability of the workstation when non-admin authenticated user tries to perform privilege escalation by tampering with the binaries.

Improper Privilege Management

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists

CVE-2024-2602 7.8 - High - July 11, 2024

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could result in remote code execution when an authenticated user executes a saved project file that has been tampered by a malicious actor.

Directory traversal

CWE-787: Out-of-Bounds Write vulnerability exists

CVE-2024-5679 7.1 - High - July 11, 2024

CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, or kernel memory leak when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.

Memory Corruption

CWE-129: Improper Validation of Array Index vulnerability exists

CVE-2024-5680 5.5 - Medium - July 11, 2024

CWE-129: Improper Validation of Array Index vulnerability exists that could cause local denial-of-service when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.

out-of-bounds array index

CWE-20: Improper Input Validation vulnerability exists

CVE-2024-5681 7.8 - High - July 11, 2024

CWE-20: Improper Input Validation vulnerability exists that could cause local denial-of-service, privilege escalation, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.

Improper Input Validation

CWE-428: Unquoted search path or element vulnerability exists in Easergy Studio

CVE-2024-2747 7.8 - High - June 12, 2024

CWE-428: Unquoted search path or element vulnerability exists in Easergy Studio, which could cause privilege escalation when a valid user replaces a trusted file name on the system and reboots the machine.

Unquoted Search Path or Element

CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists

CVE-2024-5559 6.8 - Medium - June 12, 2024

CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists that could cause denial of service, device reboot, or an attacker gaining full control of the relay when a specially crafted reset token is entered into the front panel of the device.

Use of a Broken or Risky Cryptographic Algorithm

CWE-798: Use of hard-coded credentials vulnerability exists

CVE-2024-0865 7.8 - High - June 12, 2024

CWE-798: Use of hard-coded credentials vulnerability exists that could cause local privilege escalation when logged in as a non-administrative user.

Use of Hard-coded Credentials

CWE-787: Out-of-bounds Write vulnerability exists

CVE-2024-37036 9.8 - Critical - June 12, 2024

CWE-787: Out-of-bounds Write vulnerability exists that could result in an authentication bypass when sending a malformed POST request and particular configuration parameters are set.

Memory Corruption

CWE-668: Exposure of the Resource Wrong Sphere vulnerability exists that exposes a SSH interface over the product network interface

CVE-2024-5313 6.5 - Medium - June 12, 2024

CWE-668: Exposure of the Resource Wrong Sphere vulnerability exists that exposes a SSH interface over the product network interface. This does not allow to directly exploit the product or make any unintended operation as the SSH interface access is protected by an authentication mechanism. Impacts are limited to port scanning and fingerprinting activities as well as attempts to perform a potential denial of service attack on the exposed SSH interface.

Exposure of Resource to Wrong Sphere

CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists

CVE-2023-6408 8.1 - High - February 14, 2024

CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause a denial of service and loss of confidentiality, integrity of controllers when conducting a Man in the Middle attack.

Improper Enforcement of Message Integrity During Transmission in a Communication Channel

CWE-522: Insufficiently Protected Credentials vulnerability exists

CVE-2023-27975 7.1 - High - February 14, 2024

CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause unauthorized access to the project file in EcoStruxure Control Expert when a local user tampers with the memory of the engineering workstation.

Insufficiently Protected Credentials

CWE-798: Use of Hard-coded Credentials vulnerability exists

CVE-2023-6409 7.7 - High - February 14, 2024

CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to a project file protected with application password when opening the file with EcoStruxure Control Expert.

Use of Hard-coded Credentials

A CWE-502: Deserialization of untrusted data vulnerability exists

CVE-2023-7032 7.8 - High - January 09, 2024

A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker logged in with a user level account to gain higher privileges by providing a harmful serialized object.

Marshaling, Unmarshaling

A CWE-601 URL Redirection to Untrusted Site vulnerability exists

CVE-2023-5986 6.1 - Medium - November 15, 2023

A CWE-601 URL Redirection to Untrusted Site vulnerability exists that could cause an openredirect vulnerability leading to a cross site scripting attack. By providing a URL-encoded input attackers can cause the softwares web application to redirect to the chosen domain after a successful login is performed.

Open Redirect

A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability

CVE-2023-5987 6.1 - Medium - November 15, 2023

A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability that could cause a vulnerability leading to a cross site scripting condition where attackers can have a victims browser run arbitrary JavaScript when they visit a page containing the injected payload.

A CWE-502: Deserialization of untrusted data vulnerability exists

CVE-2023-5391 9.8 - Critical - October 04, 2023

A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the application.

Marshaling, Unmarshaling

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists

CVE-2023-5399 9.8 - Critical - October 04, 2023

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause tampering of files on the personal computer running C-Bus when using the File Command.

Directory traversal

A CWE-269: Improper Privilege Management vulnerability exists

CVE-2023-5402 9.8 - Critical - October 04, 2023

A CWE-269: Improper Privilege Management vulnerability exists that could cause a remote code execution when the transfer command is used over the network.

Improper Privilege Management

A CWE-306: Missing Authentication for Critical Function vulnerability exists in the IGSS Update Service

CVE-2023-4516 7.8 - High - September 14, 2023

A CWE-306: Missing Authentication for Critical Function vulnerability exists in the IGSS Update Service that could allow a local attacker to change update source, potentially leading to remote code execution when the attacker force an update containing malicious content.

Missing Authentication for Critical Function

A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists

CVE-2023-3953 5.3 - Medium - August 09, 2023

A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause memory corruption when an authenticated user opens a tampered log file from GP-Pro EX.

Buffer Overflow

A CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow) vulnerability exists

CVE-2023-29414 7.8 - High - July 12, 2023

A CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow) vulnerability exists that could cause user privilege escalation if a local user sends specific string input to a local function call.

Classic Buffer Overflow

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists

CVE-2023-37199 7.2 - High - July 12, 2023

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored.

Code Injection

A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists

CVE-2023-37196 8.8 - High - July 12, 2023

A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the alert settings of endpoints on DCE.

SQL Injection

A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists

CVE-2023-37197 8.8 - High - July 12, 2023

A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when tampering with the mass configuration settings of endpoints on DCE.

SQL Injection

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists

CVE-2023-37198 7.2 - High - July 12, 2023

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages.

Code Injection

A CWE-787: Out-of-Bounds Write vulnerability exists

CVE-2023-2569 7.8 - High - June 14, 2023

A CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, elevation of privilege, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.

Memory Corruption

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists

CVE-2023-1049 7.8 - High - June 14, 2023

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause execution of malicious code when an unsuspicious user loads a project file from the local filesystem into the HMI.

Code Injection

A CWE-129: Improper Validation of Array Index vulnerability exists

CVE-2023-2570 7.8 - High - June 14, 2023

A CWE-129: Improper Validation of Array Index vulnerability exists that could cause local denial-of-service, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an unpredictable index to an IOCTL call in the Foxboro.sys driver.

out-of-bounds array index

A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module

CVE-2023-3001 7.8 - High - June 14, 2023

A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to remote code execution when an attacker gets the user to open a malicious file.

Marshaling, Unmarshaling

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists

CVE-2023-2161 5.5 - Medium - May 16, 2023

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized read access to the file system when a malicious configuration file is loaded on to the software by a local user. 

XXE

A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists

CVE-2023-25554 7.8 - High - April 18, 2023

A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that allows a local privilege escalation on the appliance when a maliciously crafted Operating System command is entered on the device. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)

Shell injection

A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists

CVE-2023-25555 8.1 - High - April 18, 2023

A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow a user that knows the credentials to execute unprivileged shell commands on the appliance over SSH. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)

Shell injection

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the webserver

CVE-2023-25553 6.1 - Medium - April 18, 2023

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the webserver. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)

XSS

A CWE-862: Missing Authorization vulnerability exists

CVE-2023-25552 8.1 - High - April 18, 2023

A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized content, changes or deleting of content, or performing unauthorized functions when tampering the Device File Transfer settings on DCE endpoints. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)

AuthZ

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP

CVE-2023-25551 6.1 - Medium - April 18, 2023

A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)

XSS

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists

CVE-2023-25550 9.8 - Critical - April 18, 2023

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows remote code execution via the hostname parameter when maliciously crafted hostname syntax is entered. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)

Code Injection

A CWE-863: Incorrect Authorization vulnerability exists

CVE-2023-25548 6.5 - Medium - April 18, 2023

A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device credentials on specific DCE endpoints not being properly secured when a hacker is using a low privileged user. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)

AuthZ

A CWE-613: Insufficient Session Expiration vulnerability exists

CVE-2023-28003 8.8 - High - April 18, 2023

A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain unauthorized access over a hijacked session in PME after the legitimate user has signed out of their account.

Insufficient Session Expiration

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists

CVE-2023-25549 9.8 - Critical - April 18, 2023

A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows for remote code execution when using a parameter of the DCE network settings endpoint. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)

Code Injection

A CWE-863: Incorrect Authorization vulnerability exists

CVE-2023-25547 8.8 - High - April 18, 2023

A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)

AuthZ

A CWE-427 - Uncontrolled Search Path Element vulnerability exists

CVE-2022-34755 6.7 - Medium - April 18, 2023

A CWE-427 - Uncontrolled Search Path Element vulnerability exists that could allow an attacker with a local privileged account to place a specially crafted file on the target machine, which may give the attacker the ability to execute arbitrary code during the installation process initiated by a valid user. Affected Products: Easergy Builder Installer (1.7.23 and prior)

DLL preloading

A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists

CVE-2023-27976 8.8 - High - April 18, 2023

A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause remote code execution when a valid user visits a malicious link provided through the web endpoints. Affected Products: EcoStruxure Control Expert (V15.1 and above)

Exposure of Resource to Wrong Sphere

A CWE-269: Improper Privilege Management vulnerability exists

CVE-2023-1548 5.5 - Medium - April 18, 2023

A CWE-269: Improper Privilege Management vulnerability exists that could cause a local user to perform a denial of service through the console server service that is part of EcoStruxure Control Expert. Affected Products: EcoStruxure Control Expert (V15.1 and above)

Improper Privilege Management

A CWE-306: Missing Authentication for Critical Function vulnerability exists in the Data Server TCP interface

CVE-2023-27983 5.3 - Medium - March 21, 2023

A CWE-306: Missing Authentication for Critical Function vulnerability exists in the Data Server TCP interface that could allow deletion of reports from the IGSS project report directory, this would lead to loss of data when an attacker abuses this functionality. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).

Missing Authentication for Critical Function

A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server

CVE-2023-27979 6.5 - Medium - March 21, 2023

A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could allow the renaming of files in the IGSS project report directory, this could lead to denial of service when an attacker sends specific crafted messages to the Data Server TCP port. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).

Insufficient Verification of Data Authenticity

A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server

CVE-2023-27977 5.3 - Medium - March 21, 2023

A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause access to delete files in the IGSS project report directory, this could lead to loss of data when an attacker sends specific crafted messages to the Data Server TCP port. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).

Insufficient Verification of Data Authenticity

A CWE-20: Improper Input Validation vulnerability exists in Custom Reports

CVE-2023-27984 8.8 - High - March 21, 2023

A CWE-20: Improper Input Validation vulnerability exists in Custom Reports that could cause a macro to be executed, potentially leading to remote code execution when a user opens a malicious report file planted by an attacker. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior).

Improper Input Validation

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.