Schneider Electric EcoStruxure Power Operation (Update A)

Risk Summary

Successful exploitation of these vulnerabilities could result in the loss of system functionality or unauthorized access to system functions.

CVEs (6)

Remediations

• EcoStruxure Power Operation 2022 CU7 includes an updated version of PostgreSQL and is available for download here: https://community.se.com/t5/EcoStruxure-Power-Operation/v2022-Release-amp-Updates-Install-Procedure/m-p/491544#M7322
• Schneider Electric recommends users to employ appropriate patching methodologies when applying these patches to their systems. They strongly recommend making backups and evaluating the impact of these patches in a test and development environment or on offline infrastructure. Contact Schneider Electric's Customer Care Center at https://www.se.com/us/en/work/support/contacts.jsp for assistance removing a patch.
• If users choose not to apply the remediation mentioned above, Schneider Electric recommends the following:
• If waveform analysis and ETAP simulation features are not used, uninstall PostgreSQL,OR
• For users of waveform analysis and ETAP simulation features, Schneider Electric recommends all deployments of EPO only accept connections from localhost in PostgresSQL. Contact Schneider Electric's Customer Care Center at https://www.se.com/us/en/work/support/contacts.jsp for information on how to modify PostgreSQL. Additionally, Schneider Electric recommends users manually uninstall PostgreSQL 14.10 and update to PostgreSQL 14.17 or higher.
• For more information, see the associated Schneider Electric security advisory SEVD-2025-189-03: EcoStruxure Power Operation PDF version(https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-03.pdf), or CSAF version](https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=sevd-2025-189-03.json).
• Schneider Electric strongly recommends adhering to the following industry cybersecurity best practices: Locate control and safety system networks and remote devices behind firewalls, and isolate them from the business network. Install physical controls to prevent unauthorized personnel from accessing industrial control and safety systems, components, peripheral equipment, and networks. Place all controllers in locked cabinets and never leave them in the "Program" mode. Never connect programming software to any network other than the one intended for that device. Scan all methods of mobile data exchange with the isolated network, such as CDs, USB drives, etc., before use in terminals or any nodes connected to these networks. Never allow mobile devices that have connected to any network other than the intended network to connect to safety or control networks without proper sanitation. Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the Internet. When remote access is required, use secure methods such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
• For more information, refer to the Schneider Electric recommended cybersecurity best practices document at https://www.se.com/us/en/download/document/7EN52-0390/ .

Affected Vendors

Affected Products (2)

Affected Sectors

Commercial Facilities, Critical Manufacturing, Energy