PatchSiren cyber security CVE debrief

CVE-2024-28219 Schneider Electric CVE debrief

CVE-2024-28219 is represented in the supplied CSAF source as an Industrial Control Systems advisory for Schneider Electric EcoStruxure Power Operation (EPO) 2022 and 2024, with a CVSS 3.1 score of 6.7 (MEDIUM). The advisory context indicates affected deployments should move to the vendor-provided remediation path and review PostgreSQL-related mitigation steps if full patching is not immediately possible. The source corpus also contains a separate vulnerability description that references Pillow prior to 10.3.0, so the advisory/product mapping should be validated against the official Schneider Electric and CISA references before operational use.

Vendor: Schneider Electric
Product: EcoStruxure Power Operation (EPO) 2022
CVSS: MEDIUM 6.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-07-22
Original CVE updated: 2026-02-25
Advisory published: 2025-07-22
Advisory updated: 2026-02-25

Who should care

Schneider Electric EcoStruxure Power Operation operators, OT/ICS administrators, plant engineering teams, and defenders responsible for systems running EPO 2022 <=CU6 or EPO 2024 <=CU1.

Technical summary

The supplied CVSS vector (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) indicates a locally reachable, higher-complexity issue requiring limited privileges and user interaction, with high potential impact. In the CSAF advisory, the affected products are Schneider Electric EcoStruxure Power Operation (EPO) 2022 <=CU6 and EPO 2024 <=CU1. Update A states that remediations are available for EPO 2022, and the vendor guidance includes EPO 2022 CU7, PostgreSQL version changes, limiting PostgreSQL access to localhost for certain feature sets, or uninstalling PostgreSQL when waveform analysis and ETAP simulation are not used.

Defensive priority

Medium — the CVSS score is 6.7, and the advisory is for OT software where patch planning and validation matter, but the supplied vector does not indicate remote, low-complexity exploitation.

Recommended defensive actions

Validate asset inventory for EcoStruxure Power Operation 2022 and 2024 deployments, especially versions at or below CU6 and CU1.
Plan and test the vendor remediation path in a non-production or offline environment before deployment, with backups in place.
Apply EcoStruxure Power Operation 2022 CU7 where applicable.
If waveform analysis and ETAP simulation features are not used, follow the vendor guidance to uninstall PostgreSQL.
If those features are used, restrict PostgreSQL to localhost and update PostgreSQL 14.10 to 14.17 or higher per vendor guidance.
Review network segmentation and keep control/safety networks isolated from business networks; minimize Internet exposure and use secure remote access methods.
Consult the Schneider Electric security advisory SEVD-2025-189-03 and the vendor support contact path for environment-specific remediation guidance.

Evidence notes

Timing and scope are taken from the supplied CISA CSAF source item: initial republication on 2025-07-22 and Update A on 2026-02-25. The advisory metadata lists affected products as EcoStruxure Power Operation (EPO) 2022 <=CU6 and EPO 2024 <=CU1, with Update A explicitly noting remediations available for EPO 2022. The source corpus also includes a vulnerability description referencing Pillow prior to 10.3.0, which conflicts with the Schneider Electric product mapping; this debrief follows the advisory/product scope in the CSAF data and flags the inconsistency for review.

Official resources

CISA CSAF advisory ICSA-25-203-04 was initially republished on 2025-07-22 and updated on 2026-02-25. The supplied source corpus maps CVE-2024-28219 to Schneider Electric EcoStruxure Power Operation 2022 and 2024, while also containing a non