Schneider Electric has disclosed a critical set of six vulnerabilities affecting its EcoStruxure IT Data Center Expert software that could allow attackers to execute remote code and gain unauthorized system access. The vulnerabilities collectively affect the EcoStruxure IT Data Center Expert platform, which serves as scalable monitoring software for critical infrastructure equipment across numerous industrial environments. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The primary attack vector centers on CVE-2025-50121’s OS command injection vulnerability, which exploits improper neutralization of special elements in system commands. Schneider Electric analysts identified these vulnerabilities through comprehensive security research conducted by external researchers Jaggar Henry and Jim Becher from KoreLogic, Inc. When HTTP is enabled on the web interface, attackers can manipulate folder creation processes to inject malicious commands directly into the underlying operating system. For instance, folder names containing semicolons, pipes, or backticks can break out of the intended command context and execute arbitrary code with system privileges. Additional vulnerabilities include insufficient entropy in password generation (CVE-2025-50122), code injection through hostname manipulation (CVE-2025-50123), and server-side request forgery attacks (CVE-2025-50125). The vulnerability manifests when the application processes user-supplied folder names without proper sanitization, allowing shell metacharacters to be interpreted as system commands. The vulnerabilities, discovered in versions 8.3 and prior, present significant security risks to data center operations worldwide. Organizations must immediately upgrade to EcoStruxure IT Data Center Expert version 9.0, which addresses all identified vulnerabilities.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 10 Jul 2025 19:25:10 +0000