PatchSiren cyber security CVE debrief

CVE-2022-45198 Schneider Electric CVE debrief

The supplied CISA CSAF advisory maps CVE-2022-45198 to Schneider Electric EcoStruxure Power Operation (EPO) 2022 and 2024, with affected versions listed as EPO 2022 <=CU6 and EPO 2024 <=CU1. The record rates the issue 7.5 (High) with network access, no privileges, no user interaction, and availability impact only. The source corpus also says, "Versions of Pillow before 9.2.0 improperly handle highly compressed GIF data (data amplification)," which creates an apparent product/vulnerability mismatch in the published advisory; use the remediation guidance in the advisory and verify applicability against your installed EPO version.

Vendor: Schneider Electric
Product: EcoStruxure Power Operation (EPO) 2022
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-07-22
Original CVE updated: 2026-02-25
Advisory published: 2025-07-22
Advisory updated: 2026-02-25

Who should care

Schneider Electric EcoStruxure Power Operation administrators, OT/ICS operators, patch and change-management teams, and anyone running EPO 2022 CU6 or earlier, or EPO 2024 CU1 or earlier, especially if waveform analysis or ETAP simulation features are in use.

Technical summary

CISA republished Schneider Electric advisory ICSA-25-203-04 / SEVD-2025-189-03 for CVE-2022-45198. The advisory lists two affected product lines: EcoStruxure Power Operation (EPO) 2022 up to CU6 and EPO 2024 up to CU1. The remediation notes focus on updating to EPO 2022 CU7, applying patching carefully with backups and testing, and, where users do not need waveform analysis or ETAP simulation, uninstalling PostgreSQL; if those features are used, Schneider Electric recommends restricting PostgreSQL connections to localhost and upgrading PostgreSQL 14.10 to 14.17 or higher. The source text describing the CVE refers to a Pillow GIF data-amplification issue, but the advisory does not explain that linkage.

Defensive priority

High. The advisory is rated High (7.5) and the impact is availability-only, which is still operationally significant for OT environments. Prioritize any exposed or production EPO deployments that match the affected version ranges, then validate whether the PostgreSQL-related mitigations apply to your feature usage.

Recommended defensive actions

Apply the Schneider Electric remediation path for your product version, including EPO 2022 CU7 where applicable.
Back up systems and test patches in a non-production or offline environment before deployment.
If waveform analysis and ETAP simulation are not used, follow the advisory guidance to uninstall PostgreSQL.
If waveform analysis or ETAP simulation are used, restrict PostgreSQL to localhost-only connections as directed by Schneider Electric.
Upgrade PostgreSQL 14.10 to 14.17 or higher where the advisory indicates it is needed.
Limit control-system network exposure, keep EPO off the public Internet, and use segmented network architectures and secure remote access methods.

Evidence notes

This debrief is based only on the supplied CISA CSAF source item and its embedded advisory metadata. The source includes revision history showing initial republication on 2025-07-22 and Update A on 2026-02-25, plus affected-product entries for EPO 2022 <=CU6 and EPO 2024 <=CU1. The source corpus also contains a description string about Pillow before 9.2.0 and highly compressed GIF data, which does not match the Schneider Electric product scope; that inconsistency is preserved here as a quality note rather than resolved with unsupported assumptions.

Official resources

CISA CSAF republication of Schneider Electric advisory ICSA-25-203-04 / SEVD-2025-189-03. Initial republication date in the source corpus: 2025-07-22T06:00:00.000Z. Update A date in the source corpus: 2026-02-25T07:00:00.000Z.