PatchSiren cyber security CVE debrief
CVE-2023-35945 envoyproxy CVE debrief
CVE-2023-35945 is publicly documented by CISA in a CSAF advisory for Schneider Electric EcoStruxure Power Operation (EPO). The supplied advisory ties the issue to EPO 2022 and EPO 2024 and describes a denial-of-service outcome driven by a memory leak/memory exhaustion condition. Because the affected product lines are industrial control system software, availability impact should be treated as operationally important. CISA published the advisory on 2025-07-22 and updated it on 2026-02-25.
- Vendor
- envoyproxy
- Product
- SINEC NMS
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-13
- Original CVE updated
- 2024-03-12
- Advisory published
- 2024-02-13
- Advisory updated
- 2024-03-12
Who should care
Schneider Electric EcoStruxure Power Operation 2022 and 2024 operators, OT/ICS administrators, plant engineers, and defenders responsible for maintaining availability of EPO deployments, especially systems at or below CU6 (2022) and CU1 (2024).
Technical summary
The supplied CSAF record identifies CVE-2023-35945 as a denial-of-service vulnerability with a high availability impact (CVSS 3.1 7.5). The advisory text describes a memory leak that can lead to memory exhaustion, but it also contains upstream component language referencing Envoy/nghttp2 and patch versions that do not match the Schneider Electric product naming in the advisory. The authoritative source corpus nonetheless maps the CVE to EPO 2022 <=CU6 and EPO 2024 <=CU1 and provides vendor remediation guidance.
Defensive priority
High
Recommended defensive actions
- Apply Schneider Electric’s remediation for the affected EPO release line: EPO 2022 CU7 is identified in the advisory as the update path for that product line.
- Follow Schneider Electric’s guidance to back up systems and test patches in a development or offline environment before deployment.
- If waveform analysis and ETAP simulation features are not used, remove PostgreSQL as recommended in the advisory.
- If waveform analysis and ETAP simulation features are used, restrict PostgreSQL connections to localhost as directed by Schneider Electric and update PostgreSQL 14.10 to 14.17 or higher.
- Reduce network exposure for EPO and related control-system services; keep them behind firewalls and avoid direct Internet exposure.
- Use secure remote-access methods such as VPNs only when needed, and keep those access paths current and hardened.
- Consult the Schneider Electric security advisory SEVD-2025-189-03 and the CISA ICS advisory ICSA-25-203-04 for the latest vendor instructions.
Evidence notes
Primary evidence comes from the supplied CISA CSAF source item for ICSA-25-203-04, which lists Schneider Electric as the vendor and identifies affected products as EcoStruxure Power Operation (EPO) 2022: <=CU6 and EPO 2024: <=CU1. The source record was published 2025-07-22 and revised 2026-02-25. The record’s description includes upstream Envoy/nghttp2 text and upstream patch versions that do not align with the Schneider product context; this debrief preserves the advisory’s product scope and remediation details while flagging that inconsistency.
Official resources
-
CVE-2023-35945 CVE record
CVE.org
-
CVE-2023-35945 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in CSAF advisory ICSA-25-203-04 on 2025-07-22; updated 2026-02-25. No KEV listing is present in the supplied enrichment.