CVE-2025-8448

Summary

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause unauthorized access to sensitive credential data when an attacker is able to capture local SMB traffic between a valid user within the BMS network and the vulnerable products.

Affected Software

VendorProductVersion RangeStatus
Schneider EelctricEcoStruxure Building Operation Enterprise ServerAll 7.x versions < 7.0.2.348affected
Schneider EelctricEcoStruxure Building Operation Enterprise ServerAll 6.x versions < 6.0.4.10001 (CP8)affected
Schneider EelctricEcoStruxure Building Operation Enterprise ServerAll 5.x versions < 5.0.3.17009 (CP16)affected
Schneider ElectricEcoStruxure Enterprise ServerAll 7.x versions < 7.0.2.348affected
Schneider ElectricEcoStruxure Enterprise ServerAll 6.x versions < 6.0.4.10001 (CP8)affected
Schneider ElectricEcoStruxure Enterprise ServerAll 5.x versions < 5.0.3.17009 (CP16)affected
Schneider EelctricEcoStruxure Building Operation WorkstationAll 7.x versions < 7.0.2.348affected
Schneider EelctricEcoStruxure Building Operation WorkstationAll 6.x versions < 6.0.4.10001 (CP8)affected
Schneider EelctricEcoStruxure Building Operation WorkstationAll 5.x versions < 5.0.3.17009 (CP16)affected

Weaknesses

  • CWE-200: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References