Schneider Electric has released hotfixes for a cluster of high-impact vulnerabilities in its EcoStruxure Power Monitoring Expert (PME) software, addressing flaws that could allow remote code execution, data theft, and server-side request forgery. The advisory, published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on August 12, 2025, details five distinct CVEs affecting PME 2024, PME 2024 R2, and older versions, with patches already available for supported releases. Organizations in commercial facilities, critical manufacturing, and energy sectors must apply these fixes immediately, as the vulnerabilities expose Windows-hosted industrial monitoring infrastructure to severe compromise.

A Cluster of Critical Flaws

The advisory (ICSA-25-224-03) bundles multiple vulnerability types that together create several attack paths into the widely deployed power monitoring platform. The affected products include EcoStruxure PME versions 2022 (end-of-life), 2023, 2023 R2, 2024, and 2024 R2, as well as the Advanced Reporting and Dashboards Module when used with certain combinations. Each CVE carries a high CVSS score, signaling serious risk to confidentiality, integrity, and availability.

Deserialization of Untrusted Data (CVE-2025-54923)

A deserialization flaw exists in a TCP service that listens on a random high port. An authenticated attacker with low privileges can send crafted serialized objects, bypassing safe type checks, to achieve remote code execution or system compromise. The CVSS v3.1 score is 8.8 and v4 is 8.7, reflecting the ease of exploitation once a foothold is established.

Server-Side Request Forgery (CVE-2025-54924 and CVE-2025-54925)

Two pre-authentication SSRF bugs allow unauthenticated attackers to force the PME server to make arbitrary HTTP requests to internal addresses. CVE-2025-54924 is triggered via a specially crafted document, while CVE-2025-54925 is exploited by configuring the application to access a malicious URL. Both have a CVSS v3.1 score of 7.5 and v4 of 8.7, enabling attackers to probe internal networks, access metadata services, and bypass perimeter defenses.

Path Traversal Vulnerabilities (CVE-2025-54926 and CVE-2025-54927)

Two directory traversal issues require authentication but differ in severity. CVE-2025-54926 (CVSS v3.1 7.2, v4 8.6) allows an authenticated admin to upload a malicious file via HTTP, which the system then writes to an arbitrary location and potentially executes, leading to remote code execution. CVE-2025-54927 (CVSS v3.1 4.9, v4 6.9) permits an authenticated attacker to read sensitive files by manipulating path inputs. Together, they enable data exfiltration and system takeover if administrative credentials are compromised.

Immediate Hotfixes, Not Just Future Promises

Unlike some initial reports that emphasized a November 2025 patch timeline, Schneider Electric has already issued hotfixes for its current PME versions. Hotfix_279338_Release_2024R2 is available for PME 2024 R2 and covers all five CVEs. Users on PME 2024 should upgrade to 2024 R2 and then apply this hotfix. For PME 2023, hotfixes Hotfix_199767_release and Hotfix_273686_release.12.0 address CVEs 2025-54924, 2025-54925, and 2025-54927, while the other CVEs may be mitigated through configuration or are not present in those versions. PME 2022 is end-of-life and requires immediate application of recommended mitigations, as no patches will be provided.

Schneider Electric also plans a future major release, PME 2024 R3, slated for November 11, 2025, which will include these fixes and likely additional hardening. However, organizations should not wait—apply the hotfixes now and use the coming months to test and prepare for the full upgrade.

Real-World Attack Scenarios

The forum analysis details how these vulnerabilities can be chained in practical attacks against hybrid IT/OT environments, where PME often runs on Windows servers and bridges corporate and operational networks.

  • Lateral Reconnaissance and Credential Abuse: A phishing attack compromises a domain user with PME access. Using the path traversal upload flaw (CVE-2025-54926), the attacker writes a web shell or scheduled task, gaining persistent remote access and potentially moving laterally via Windows domain trusts.
  • Internal Pivot Using SSRF: An unauthenticated threat actor discovers the PME management URL through internet scanning. By sending a crafted request to the SSRF endpoint (CVE-2025-54924), they probe internal automation consoles and extract credentials from unprotected APIs, opening the door to deeper operational compromise.
  • Low-Privilege Deserialization Escalation: An authenticated low-privilege user identifies the random TCP port used by the vulnerable service. By delivering a malicious serialized payload, they exploit gadget chains in the application runtime to execute code as the service account, potentially achieving full system control.

These scenarios underscore the danger of leaving PME servers exposed or poorly segmented. The deserialization and SSRF bugs do not require elevated privileges, making them especially attractive for initial access brokers.

Why Windows Admins Must Act Fast

PME installations run predominantly on Windows servers and integrate with Active Directory, Group Policy, and standard remote management tools. This creates a familiar attack surface for adversaries:

  • Domain-joined PME servers can become stepping stones if over-privileged service accounts allow lateral movement.
  • Windows features like PowerShell and Scheduled Tasks offer straightforward persistence mechanisms post-exploit.
  • File write vulnerabilities, such as the path traversal flaws, can directly deposit malicious executables into startup folders or write to system directories if accounts have excessive rights.

Schneider Electric and CISA therefore stress least privilege, robust Windows firewall rules, and strict network segmentation as immediate compensating controls—even after applying hotfixes.

Mitigations for Immediate Risk Reduction

Until hotfixes are deployed, or for systems that cannot be immediately patched, the following layered defenses are critical:

  • Isolate PME Servers: Place them on a dedicated VLAN with no direct internet access. Restrict inbound management traffic to trusted IP addresses only.
  • Apply Strict Windows Firewall Rules: Block all inbound connections on the ephemeral TCP port range associated with the deserialization service unless absolutely necessary and from known admin hosts.
  • Audit and Minimize Privileges: Remove unnecessary accounts from PME, enforce least privilege, and rotate any service account credentials that have administrative rights. Disable unused accounts and implement multi-factor authentication where possible.
  • Harden File Upload Paths: If upload endpoints are exposed, use a web application firewall (WAF) or reverse proxy to filter path traversal attempts. Validate and sanitize all file uploads.
  • Block Outbound SSRF: Restrict egress traffic from PME hosts to internal networks. Only allow communication to necessary telemetry and integration targets. Use network ACLs to deny HTTP requests to sensitive internal services.
  • Enable Enhanced Monitoring: Deploy endpoint detection and response (EDR) on PME hosts to alert on suspicious file writes, new processes, or unusual network connections. Monitor for repeated port scans or outbound HTTP requests from PME to internal IPs.

Detection and Response Guidance

Detecting exploitation attempts requires looking for specific indicators:

  • Network Signatures: Outbound HTTP connections from PME to internal addresses that are not part of normal operations may indicate SSRF probes. Also watch for repeated connections to high ephemeral ports.
  • File System Changes: Creation of new executable files in web directories or application data folders can signal a path traversal exploit.
  • Process Anomalies: Unexpected child processes spawned by the PME service, PowerShell or cmd.exe execution from unusual paths, or new scheduled tasks should be treated as high-priority alerts.

If compromise is suspected, isolate the host, collect memory and disk forensics, and analyze web server and Windows Event logs. Follow your incident response plan and report to CISA if critical infrastructure is involved.

Looking Ahead

While the immediate release of hotfixes reduces risk, the PME 2024 R3 release in November will provide a consolidated update. Organizations should use the intervening months to:

  • Test the hotfix in a staging environment before production rollout.
  • Review and harden all PME integrations, ensuring that the software cannot serve as a proxy to sensitive internal services.
  • Implement continuous vulnerability management for OT assets, including regular scanning and patch cycles that account for operational constraints.
  • Build detection engineering use cases around the tactics and techniques observed in these vulnerabilities.

Schneider Electric’s advisory (SEVD-2025-224-02) provides additional technical details and hardening guidelines, and should be consulted alongside CISA’s recommendations.

For Windows administrators and security teams managing critical infrastructure, the key takeaway is clear: do not delay. Download and apply the available hotfixes, enforce strict network controls, and assume that attackers are already probing for exposed PME instances. The combination of pre-auth SSRF, unsafe deserialization, and path traversal creates a potent threat landscape—one that demands immediate, decisive action.