PatchSiren cyber security CVE debrief
CVE-2025-0327 Schneider Electric CVE debrief
CVE-2025-0327 is a high-severity privilege management issue in Schneider Electric EcoStruxure™ Process Expert. According to the CISA CSAF advisory and Schneider Electric notice, a local attacker with standard privileges can modify the executable path of two Windows services; after those services are restarted, the issue can impact confidentiality, integrity, and availability on the engineering workstation.
- Vendor
- Schneider Electric
- Product
- EcoStruxure™ Process Expert
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-11
- Original CVE updated
- 2025-02-11
- Advisory published
- 2025-02-11
- Advisory updated
- 2025-02-11
Who should care
OT/ICS defenders, Schneider Electric EcoStruxure Process Expert operators, engineering workstation administrators, and teams responsible for Windows service hardening and application control in industrial environments.
Technical summary
The advisory describes CWE-269 improper privilege management affecting two Windows services: one that manages audit trail data and one that acts as a server for client requests. The attack requires local standard-user privileges and service restart to take effect. CISA lists affected products as EcoStruxure™ Process Expert 2020 R2, 2021, and 2023 versions prior to v4.8.0.5715, plus the AVEVA System Platform variants identified in the advisory. Schneider Electric states that v4.8.0.5715 includes a fix for EcoStruxure™ Process Expert 2023 and that mitigation guidance includes restricting execute permission for sc.exe/service-control utilities to administrators and using application control/whitelisting.
Defensive priority
High priority for any site running affected EcoStruxure Process Expert deployments, especially where standard users have access to engineering workstations or service configuration utilities.
Recommended defensive actions
- Verify whether any engineering workstation is running an affected EcoStruxure™ Process Expert release or an affected AVEVA System variant named in the advisory.
- Apply Schneider Electric's fixed release for EcoStruxure™ Process Expert 2023 (v4.8.0.5715) where applicable; follow vendor guidance to uninstall the prior 2023 version before installing the fixed package.
- Restrict execution and use of Windows service configuration utilities such as sc.exe to administrative users only.
- Use application control/whitelisting controls such as McAfee Application and Change Control as recommended by Schneider Electric.
- Review and harden Windows service permissions and startup paths on impacted engineering workstations.
- Monitor for unauthorized changes to service executable paths and unexpected service restarts on affected hosts.
Evidence notes
All claims are sourced from the supplied CISA CSAF advisory for ICSA-25-079-01 / CVE-2025-0327 and the referenced Schneider Electric security notice. The advisory explicitly states the local privilege prerequisite, the service-path modification condition, the need for service restart, the impacted product families/versions, and the vendor mitigation and fixed release information.
Official resources
-
CVE-2025-0327 CVE record
CVE.org
-
CVE-2025-0327 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA and Schneider Electric on 2025-02-11, with the CVE and source advisory published the same day.