CVE-2025-11739

Description

CWE‑502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locally authenticated attacker sends a crafted data stream, triggering unsafe deserialization.

CVSS breakdown

CVSS 4.0

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

None

Confidentiality (Vulnerable System)

High

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

High

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2022 – Version 2022
Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2023 – Version 2023
Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2023 R2 – Version 2023 R2
Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2024 – Version 2024
Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2024 R2 – Version 2024 R2
Schneider Electric / EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards ModuleVersion 2022 – Version 2022
Schneider Electric / EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards ModuleVersion 2024 – Version 2024

References

MISChttps://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-06&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-06.pdf