Description
CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution and compromise of system integrity when authenticated users send crafted data to a network-exposed service that performs unsafe deserialization.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
None
Confidentiality (Vulnerable System)
High
Integrity (Vulnerable System)
High
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
Affected products
- Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2022 – Version 2022
- Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2023 – Version 2023
- Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2024 – Version 2024
- Schneider Electric / EcoStruxure™ Power Monitoring Expert (PME)Version 2024 R2 – Version 2024 R2
- Schneider Electric / EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards ModuleVersion 2022 w/ Advanced Reporting Module – Version 2022 w/ Advanced Reporting Module
- Schneider Electric / EcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards ModuleVersion 2024 w/ Advanced Reporting Module – Version 2024 w/ Advanced Reporting Module