PatchSiren cyber security CVE debrief
CVE-2024-8401 Schneider Electric CVE debrief
CVE-2024-8401 is a stored cross-site scripting (XSS) vulnerability in Schneider Electric's EcoStruxure Power Monitoring Expert (PME) and related products. The flaw exists in the folder name modification functionality, where an authenticated attacker can inject malicious scripts through manipulated folder names. The vulnerability was published on September 10, 2024, with a CVSS 3.1 score of 5.4 (Medium severity). The attack requires network access, low attack complexity, and low privileges, with user interaction required. The vulnerability affects seven product variants across PME 2020-2021, EcoStruxure Power Operation (EPO) 2021-2022, and Power SCADA Operation 2020. Successful exploitation could allow script execution in the context of other users' sessions, potentially leading to session hijacking or unauthorized actions.
- Vendor
- Schneider Electric
- Product
- EcoStruxureâ„¢ Power Monitoring Expert (PME) 2021
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-10
- Original CVE updated
- 2024-09-10
- Advisory published
- 2024-09-10
- Advisory updated
- 2024-09-10
Who should care
Organizations operating Schneider Electric EcoStruxure Power Monitoring Expert, Power Operation, or Power SCADA Operation systems in industrial, commercial, or utility environments. Security teams responsible for OT/ICS infrastructure, power management systems, and building automation. Compliance officers managing critical infrastructure security standards.
Technical summary
The vulnerability stems from improper neutralization of input during web page generation (CWE-79) in the folder naming functionality. An authenticated attacker can modify folder names to include malicious JavaScript payloads. When other users view or interact with these folders, the injected scripts execute in their browser context. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N indicates network attack vector, low complexity, low privileges required, user interaction required, changed scope, with low impacts to confidentiality and integrity. The vulnerability spans multiple product lines including PME 2021 CU1 and prior, PME 2020 CU3 and prior, EPO 2022 CU4 and prior, EPO 2021 CU3 Hotfix 2 and prior, and PSO 2020 Advanced Reporting (all versions).
Defensive priority
medium
Recommended defensive actions
- Apply vendor patches: upgrade to EcoStruxure Power Monitoring Expert 2021 CU2 or 2022, or EcoStruxure Power Operation 2022 CU5 or 2021 CU3 Hotfix 3 as applicable
- For end-of-life products (PME 2020, PSO 2020 Advanced Reporting), plan migration to supported versions
- Implement input validation and output encoding for folder name fields in custom implementations
- Apply principle of least privilege to limit authenticated user capabilities
- Monitor for suspicious folder name modifications in audit logs
- Review and apply CISA ICS recommended practices for defense-in-depth strategies
Evidence notes
CISA CSAF advisory ICSA-25-014-03 provides authoritative technical details and remediation guidance. Schneider Electric security notice SEVD-2024-254-02 contains vendor-specific patch information. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).
Official resources
-
CVE-2024-8401 CVE record
CVE.org
-
CVE-2024-8401 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-10