Summary: Schneider Electric has issued a security notification for a critical vulnerability in the WebHMI component affecting its EcoStruxure Power Automation System and EcoStruxure Microgrid Operation Large solutions. The vulnerability, identified as CVE-2025-1960, could allow unauthorized access if default credentials are not changed. A hotfix is available to address this issue, alongside recommended security practices to mitigate risks.
Affected: Schneider Electric EcoStruxure Power Automation System and EcoStruxure Microgrid Operation Large (EMO-L)
Keypoints :
- CVE-2025-1960 has a CVSS v3.1 score of 9.8, indicating critical severity.
- The vulnerability allows unauthorized command execution due to insecure default credentials.
- Affected versions include WebHMI v4.1.0.0 and prior; customers should apply the provided hotfix.
- Schneider Electric recommends that WebHMI be kept off the internet and hardening guidelines be followed.
- General best practices include using firewalls, securing remote access via VPNs, and restricting device exposure to secure networks.