CVE-2025-11739

Summary

CWE‑502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locally authenticated attacker sends a crafted data stream, triggering unsafe deserialization.

Affected Software

VendorProductVersion RangeStatus
Schneider ElectricEcoStruxure™ Power Monitoring Expert (PME)Version 2022affected
Schneider ElectricEcoStruxure™ Power Monitoring Expert (PME)Version 2023affected
Schneider ElectricEcoStruxure™ Power Monitoring Expert (PME)Version 2023 R2affected
Schneider ElectricEcoStruxure™ Power Monitoring Expert (PME)Version 2024affected
Schneider ElectricEcoStruxure™ Power Monitoring Expert (PME)Version 2024 R2affected
Schneider ElectricEcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards ModuleVersion 2022affected
Schneider ElectricEcoStruxure™ Power Operation (EPO) Advanced Reporting and Dashboards ModuleVersion 2024affected

Weaknesses

  • CWE-502: CWE-502 Deserialization of untrusted data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References