Schneider Electric Easergy, EcoStruxture, PowerLogic, and Saitel Products

Risk Summary

Schneider Electric is aware of vulnerabilities in its PowerChute™ Serial Shutdown product. The [PowerChute Serial Shutdown](https://www.se.com/ww/en/product-range/137943580-powerchute-serial-shutdown/#products) product is a UPS management software enabling graceful system shutdown and energy management capabilities for desktop, servers and workstations. Failure to apply the remediation provided below may risk improper input validation which could result in disruption of operations and access to system data.

CVEs (1)

Remediations

• Version D7.34 of MiCOM C264 includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center for information on how to contact your local Application Center to update the device. Reboot is required
• Version 1.1.18 of Easergy C5 includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center for information on how to contact your local Application Center to update the device. Reboot is required
• Version P139.678.700 Easergy MiCOM P139 includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center for information on how to contact your local Application Center to update the device.
• Version P439.678.700 Easergy MiCOM P439 includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center for information on how to contact your local Application Center to update the device.
• Version P539.678.700 Easergy MiCOM P539 includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center for information on how to contact your local Application Center to update the device.
• Version P632.678.700 Easergy MiCOM P632 includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center for information on how to contact your local Application Center to update the device.
• Version P633.678.700 Easergy MiCOM P633 includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center for information on how to contact your local Application Center to update the device.
• Version P634.680.701 Easergy MiCOM P634 includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center for information on how to contact your local Application Center to update the device.
• Version P633.680.701 Easergy MiCOM P633 includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center for information on how to contact your local Application Center to update the device.
• Version P138.677.701 Easergy MiCOM P138 includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center for information on how to contact your local Application Center to update the device.
• Version C434.679.700 Easergy MiCOM C434 includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center for information on how to contact your local Application Center to update the device.
• HUe Firmware version 11.06.31 includes a fix for this vulnerability and is available for download here: . Contact Schneider Electric’s Customer Care Center to download this software. A reboot is needed to complete the firmware upgrade
• Version 6.4.610.500.101 of EPAS Gateway includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center to download this software
• Version 3.0.4 of EPAS-UI includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center to download this software.
• EPO 2022 CU 7 of EcoStruxure™ Power Operation includes a fix for this vulnerability and is available for download here: • https://community.se.com/t5/EcoStruxure-PowerOperation/Power-Operation-2022-CU7-is-Now-Available/tdp/524787 Reboot needed: yes
• EPO 2024 CU 3 of EcoStruxure™ Power Operation includes a fix for this vulnerability and is available for download here: • https://community.se.com/t5/EcoStruxure-PowerOperation/Power-Operation-2024-CU3-is-HERE/td-p/534769 Reboot needed: yes
• Version 64.2025.0.14 of iPMFLS includes a fix for this vulnerability. Contact Schneider Electric’s Customer Care Center for information on how to contact your local Application Center to update the device.
• Version V02.503.101 of PowerLogic™ P5 includes a fix for this vulnerability Contact Schneider Electric’s Customer Care Center to download this firmware.
• Version V02.003.001 of PowerLogic™ P7 includes a fix for this vulnerability Contact Schneider Electric’s Customer Care Center to download this firmware.
• Version 2.9.5 of PowerLogic™ T300 includes a fix for this vulnerability Contact Schneider Electric’s Customer Care Center to download this firmware. A reboot is needed to complete the firmware upgrade
• Version 11.08.03 of PowerLogic™ T500 includes a fix for this vulnerability Contact Schneider Electric’s Customer Care Center to download this firmware. A reboot is needed to complete the firmware upgrade
• CPU866e Firmware version 11.06.37 includes a fix for this vulnerability and is available for download. Contact Schneider Electric’s Customer Care Center to download this firmware. A reboot is needed to complete the firmware upgrade
• Schneider Electric is establishing a remediation plan for all future versions of the following models of the Easergy MiCOM P30: P437 P532 P631 P634 P436 P438 P638 Future versions will include a fix for this vulnerability. We will update this document when the remediation is available. Until then, customers should immediately apply the following mitigations to reduce the risk of exploit: • Ensure P30 operates within a physically or logically segmented internal network. Access to this network should be tightly controlled using standard security mechanisms such as firewalls, intrusion detection systems (IDS), and other relevant protective measures. • Reduce the “Minimum inactivity period” using the CAE tool to shorten session timeout durations and minimize the risk of unauthorized access due to inactive sessions
• Schneider Electric is establishing a remediation plan for a future version of the Easergy MiCOM P40 Series model numbers with Protocol Option bit as G, H or L. P_ 4_ _ _ _ _ G_ _ _ _ _ M P_ 4_ _ _ _ _ H_ _ _ _ _ M P_ 4_ _ _ _ _ L _ _ _ _ _ M P_ 4_ _ _ _ _ G_ _ _ _ _ L P_ 4_ _ _ _ _ H_ _ _ _ _ L P_ 4_ _ _ _ _ L _ _ _ _ _ L A future version will include a fix for this vulnerability. We will update this document when the remediation is available. Until then, customers should immediately apply the following mitigations to reduce the risk of exploit: • Ensure P40 operates within a physically or logically segmented internal network. Access to this network should be tightly controlled using standard security mechanisms such as firewalls, intrusion detection systems (IDS), and other relevant protective measures. • Reduce the “Minimum inactivity period” using the CAE tool to shorten session timeout durations and minimize the risk of unauthorized access due to inactive sessions
• If customers choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:• Ensure P30 operates within a physically or logically segmented internal network. Access to this network should be tightly controlled using standard security mechanisms such as firewalls, intrusion detection systems (IDS), and other relevant protective measures. • Reduce the “Minimum inactivity period” using the CAE tool to shorten session timeout durations and minimize the risk of unauthorized access due to inactive sessions.

Affected Vendors

Affected Products (52)

Affected Sectors

Chemical, Critical Manufacturing, Energy, Water and Wastewater