EcoStruxure IT Data Center Expert <= 8.3 Multiple Vulnerabilities (SEVD-2025-189-01)

critical Nessus Plugin ID 242985

Synopsis

The remote web server contains an application that is affected by multiple vulnerabilities.

Description

The version of EcoStruxure IT Data Center Expert installed on the remote host is prior to 9.0. It is, therefore, affected by multiple vulnerabilities as referenced in the apsb25-36 advisory.

- A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause unauthenticated remote code execution when a malicious folder is created over the web interface HTTP when enabled. HTTP is disabled by default. (CVE-2025-50121)

- A CWE-331: Insufficient Entropy vulnerability exists that could cause root password discovery when the password generation algorithm is reverse engineered with access to installation or upgrade artifacts. (CVE-2025-50122)

- A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote command execution by a privileged account when the server is accessed via a console and through exploitation of the hostname input. (CVE-2025-50123)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to EcoStruxure IT Data Center Expert version 9.0 or later.

See Also

http://www.nessus.org/u?91bad62f

Plugin Details

Severity: Critical

ID: 242985

File Name: schneider_ecostruxure_IDCE_SEVD-2025-189-01.nasl

Version: 1.1

Type: remote

Family: CGI abuses

Published: 7/29/2025

Updated: 7/29/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-50121

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:schneider-electric:data_center_expert

Required KB Items: installed_sw/Data Center Expert

Patch Publication Date: 7/8/2025

Vulnerability Publication Date: 7/8/2025

Reference Information

CVE: CVE-2025-50121, CVE-2025-50122, CVE-2025-50123, CVE-2025-50124, CVE-2025-50125, CVE-2025-6438

IAVB: 2025-B-0111