—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Schneider Electric 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Plant iT/Brewmaxx versions v9.60 and above

EcoStruxure™ Process Expert Versions prior to 2025

EcoStruxure™ Process Expert for AVEVA System Platform All Versions

Wiser iTRV2 All versions

Wiser iTRV3 All versions

Wiser RTR2 All versions

Wiser UFH All versions

Wiser 16A Electrical Heat Switch All versions

Wiser Boiler Relay All versions

Exxact cFMT 16a All versions

Elko cFMT 16a All versions

Odace cFMT 2a All versions

Merten cFMT 16a All versions

Merten cFMT 2a All versions

Wiser Power Micromodule All versions

Wiser FIP Micromodule All versions

Iconic, Wiser Connected Smart Dimmer All versions

Iconic, Wiser Connected Smart Switch, 2AX All versions

Iconic, Wiser Connected Smart Switch, 10AX All versions

Iconic, Connected AC Fan Controller All versions

Iconic, Connected Smart Socket All versions

Wiser Connected Application Module 1-Gang All versions

Wiser Connected Application Module 2-Gang All versions

Wiser Connected Push Button Dimmer All versions

Wiser Connected Push Button Switch All versions

Wiser Connected Push Button Shutter All versions

Wiser Connected Motion Dimmer All versions

Wiser Connected Motion Switch All versions

Wiser Connected Rotary Dimmer All versions

Connected Wireless Switch All versions

Micromodule Switch All versions

Micromodule Dimmer All versions

Micromodule Shutter All versions

Connected Single Socket Outlet All versions

Connected Double Socket Outlet All versions

Fuga Connected Socket Outlet All versions

Mureva EV Link All versions

EcoStruxure Power Build Rapsody software

FR V2.8.1 and prior

INT V2.8.6 and prior

ES V2.8.5 and prior

BEL (NL) V2.8.3 and prior

BEL (FR) V2.8.8 and prior

FR V2.8.1.0300 and prior

ESP V2.8.5.0200 and prior

PT V2.8.7.0100 and prior

BEL(FR) V2.8.8.0100 and prior

BEL(EN) V2.8.3.0100 and prior

INT(EN) V2.8.4.0300 and prior

NL V2.8.2.0000 and prior

Overview

Multiple vulnerabilities have been reported in Schneider Electric products which could be ex-ploited by a remote attacker to execute arbitrary code, privilege escalation or cause Denial of service (DoS) condition on the targeted system.

Target Audience:

All organizations and individuals using the affected Schneider Electric products.

Risk Assessment:

Risk of unauthorized access, exposure of sensitive information or service unavailability.

Impact Assessment:

Potential for remote code execution, unauthorized access to sensitive data, or service disruption.

Description

Schneider Electric develops products and solutions for energy management and industrial au-tomation, used across various sectors including residential, commercial, and industrial applica-tions.

Multiple vulnerabilities exist in Schneider Electric products arise from Use After Free, Integer Overflow or Wraparound, Improper Control of Generation of Code (Code Injection), Out-of-bounds Read, Incorrect Default Permissions, buffer overflow, Uncontrolled Resource Consumption and heap memory corruption.

Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code, privilege escalation or cause Denial of service (DoS) condition on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-02.pdf

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-03.pdf

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf

Vendor Information

Schneider Electric

https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp

References

Schneider Electric

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-02.pdf

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-03.pdf

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf

CVE Name

CVE-2024-10106

CVE-2024-6350

CVE-2024-6351

CVE-2024-6352

CVE-2024-7322

CVE-2025-13844

CVE-2025-13845

CVE-2025-13905

CVE-2025-46817

CVE-2025-46818

CVE-2025-46819

CVE-2025-49844

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmluIs0ACgkQ3jCgcSdc

ys8erxAAiRbwZ+vFu/HRAww7a4IZrQdCscs4cBx2nEIOU+1/55tUriRI21KqyFOr

syJjP46H8OaXWCpUnjMgsA7C7RDxhSyKD+cXO90XTwFQ4/z6PhbOTHWitx7C/U2P

k2OO56O519YflcJTLcuuuJ5xZNKLmGrqxLpKxiDayYSS/sbHy5Lt0g44h5O1NspF

r0jkUm8okz/rvs/UR4UYQOMboOCO0OZ5Ft0L6GuuOMPqCUEyMz1jVKD5HiBYgH/k

Ms3YCGlfXzg0mkZu3oq7EnraV9eYvebWLoM53ZY+yRPtGPca9ht2+CizhHWh28tv

oLBJLNIRrOuLgdmAYDAfoJvAXrlNRF2+0l5CLKmuTIvDDMpN39cZdo7Fx8zWDQUd

jTTyBxusvJfPUbktq9p9YLfvuV178zvlrNFpIXZNEMzQuYciH/Ko+mtB1oSXqufR

H3suQ71clccxDz7LBHVb2KWPJIrz9cRroECuqCU89CKZU2dwfqmM20kLbV+G0xIT

YUFTY868GL0iL4JVJCDOuDz/fBLUbJjZWG6A9OYN40znhkFFnPBjmJ3R/RUIonL1

pKQ2rGFPf+7ay5duNBe1+wrpXe52NuOAg4zXepm1cZ9QLOPSsen7gnzFcp0Lpd+0

X1FJfPt47H/IZ2ixCn8yMLS0geaJy1pNwVRegrNznT6VwZaULsA=

=HA8v

—–END PGP SIGNATURE—–