Schneider Electric Flaws Expose Systems to OS Command Injection Attacks

Schneider Electric, a global leader in industrial technology and sustainability, has issued a critical security notification revealing multiple vulnerabilities in its EcoStruxure IT Data Center Expert (DCE) software, a scalable monitoring solution for data center equipment.

Released on July 8, 2025, under document reference SEVD-2025-189-01, the advisory details six severe flaws affecting versions 8.3 and prior of the product.

These vulnerabilities, if exploited, could lead to unauthorized access, information disclosure, and remote compromise, posing significant risks to operational continuity and data security in critical infrastructure environments.

Critical Vulnerabilities Identified

Among the most alarming issues is CVE-2025-50121, an OS Command Injection vulnerability (CWE-78) with a CVSS v3.1 score of 10 (Critical) and a CVSS v4.0 score of 9.5.

This flaw allows unauthenticated remote code execution through the web interface when HTTP is enabled, though it is disabled by default.

Another critical concern is CVE-2025-50122, an Insufficient Entropy ...