CVE-2025-11739 Schneider Electric CVE debrief

Who should care

OT/ICS defenders, Windows and application administrators, and operators running EcoStruxure PME or EPO—especially environments with shared local access, elevated accounts, or older end-of-life deployments such as PME 2022 and EPO 2022.

Technical summary

The vulnerability is described as a deserialization of untrusted data / unsafe deserialization flaw. With local authentication and low privileges, an attacker may supply a crafted data stream that the application processes unsafely, potentially resulting in arbitrary code execution as an administrator. The source advisory associates the issue with PME releases through 2024 R2 and EPO advanced reporting/dashboard modules, and it lists vendor hotfixes for 2023R2 and 2024R2 plus an upgrade path to PME 2024 R3. The advisory text reports CVSS v4.0 Base Score 8.5 (High).

Defensive priority

High. Prioritize remediation on any PME/EPO deployment where local users or shared administrator access exist, because the flaw can escalate to administrative code execution.

Recommended defensive actions

• Apply Schneider Electric hotfix Hotfix_279338_Release_2024R2 for EcoStruxure PME 2024R2 where applicable; Schneider states no reboot is required.
• Apply Schneider Electric Hotfix_282807 for EcoStruxure PME 2023R2 where applicable; Schneider states no reboot is required.
• Upgrade to EcoStruxure Power Monitoring Expert (PME) 2024 R3, which Schneider lists as the preferred remediation path.
• For PME 2022 and EPO 2022 end-of-life deployments with no vendor fix planned, isolate the system, restrict network access with Windows Firewall, and limit access to essential users only.
• Audit Windows-authenticated and elevated accounts that can reach PME/EPO, revoke unnecessary access, and enforce least privilege and strong password policies.
• Follow Schneider Electric’s cybersecurity hardening guidance for PME, including isolated-network placement and periodic permission reviews.

Evidence notes

The supplied source corpus ties this CVE to Schneider Electric advisory SEVD-2026-069-06 and CISA advisory ICSA-26-078-04, both published on 2026-03-10, with a CISA republication on 2026-03-19. The advisory text states that a locally authenticated attacker can trigger unsafe deserialization and potentially achieve arbitrary code execution with administrative privileges. Remediation entries name hotfixes for 2023R2 and 2024R2, the PME 2024 R3 upgrade path, and no-fix-planned guidance for end-of-life 2022 products. The source data includes a CVSS v4.0 8.5/High statement and also carries a CVSS 3.1 vector field in metadata.

Official resources