PatchSiren cyber security CVE debrief
CVE-2024-9005 Schneider Electric CVE debrief
CVE-2024-9005 is a high-severity deserialization vulnerability in Schneider Electric EcoStruxure Power Monitoring Expert (PME). According to the advisory, unsafely deserialized data posted to the web server could allow remote code execution on the server. Schneider Electric provides a fix for PME 2022, while PME 2021 and prior are out of support and should be upgraded.
- Vendor
- Schneider Electric
- Product
- EcoStruxure Power Monitoring Expert (PME)
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-08
- Original CVE updated
- 2025-05-13
- Advisory published
- 2024-10-08
- Advisory updated
- 2025-05-13
Who should care
Organizations running Schneider Electric EcoStruxure Power Monitoring Expert (PME), especially PME 2022 and any 2021-or-older deployments. Security and operations teams responsible for industrial control or building/energy monitoring environments should prioritize this advisory.
Technical summary
The advisory describes a CWE-502 deserialization-of-untrusted-data issue affecting Schneider Electric EcoStruxure Power Monitoring Expert (PME). The supplied CVSS v3.1 vector is AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating network reachability with additional exploitation conditions, low privileges, and required user interaction. The reported impact is remote code execution on the server when unsafe serialized input is posted to the web server. A vendor hotfix is available for PME 2022; PME 2021 and prior are listed as end-of-life and should be replaced or upgraded.
Defensive priority
High: apply the PME 2022 hotfix promptly, and plan immediate migration off unsupported PME 2021-and-prior systems.
Recommended defensive actions
- Apply Schneider Electric Hotfix_75031_PME2022 for EcoStruxure Power Monitoring Expert (PME) 2022 through Schneider Electric Customer Care Center.
- Upgrade PME 2021 and prior to a supported current version; the advisory states these versions have reached end-of-life support.
- Follow CISA ICS recommended practices and defense-in-depth guidance while remediation is scheduled.
- Review any exposure of the PME web server and restrict access to trusted administrative paths until remediation is complete.
Evidence notes
Primary evidence comes from CISA CSAF advisory ICSA-25-037-01 and Schneider Electric Security and Safety Notice SEVD-2024-282-05, both published on 2024-10-08 and updated on 2025-05-13. The advisory lists affected products as Schneider Electric EcoStruxure Power Monitoring Expert (PME) Version 2022 and Version 2021 and prior, and states that unsafe deserialization can permit remote code execution on the server. Remediation details in the source include Hotfix_75031_PME2022 for PME 2022 and upgrade guidance for unsupported versions.
Official resources
-
CVE-2024-9005 CVE record
CVE.org
-
CVE-2024-9005 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA/Schneider Electric advisory on 2024-10-08; the advisory was later revised on 2025-05-13.