PatchSiren cyber security CVE debrief
CVE-2025-1960 Schneider Electric CVE debrief
CVE-2025-1960 is a critical Schneider Electric WebHMI issue tied to insecure default credentials (CWE-1188). According to the advisory, if the system's default password credentials are not changed on first use, an attacker could execute unauthorized commands. The advisory also says the default username is not displayed correctly in the WebHMI interface, which can make first-use hardening easier to miss. Schneider Electric provides a hotfix, WebHMI_Fix_users_for_Standard.V1, and recommends defense-in-depth measures, including keeping WebHMI off the internet.
- Vendor
- Schneider Electric
- Product
- WebHMI
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-03-11
- Original CVE updated
- 2025-03-11
- Advisory published
- 2025-03-11
- Advisory updated
- 2025-03-11
Who should care
OT/ICS operators, Schneider Electric WebHMI administrators, EPAS User Interface and EMO-L owners, plant security teams, integrators, and incident responders responsible for remotely reachable HMI environments.
Technical summary
CISA's CSAF advisory and Schneider Electric's notice describe an insecure-defaults condition in WebHMI version 4.1.0.0 and prior when installed with EPAS User Interface version 2.6.30.19 and prior, including the EMO-L default component. The issue is network exploitable, requires no privileges or user interaction per the supplied CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), and can lead to unauthorized command execution when default credentials remain unchanged. The advisory notes that the default username is not displayed correctly in the WebHMI interface, which may impede safe initial setup.
Defensive priority
Urgent immediate patching priority
Recommended defensive actions
- Apply Schneider Electric hotfix WebHMI_Fix_users_for_Standard.V1 through the Customer Care Center for affected WebHMI and EMO-L deployments.
- Verify that default username and password credentials were changed on first use; remediate any system still using defaults.
- Do not expose WebHMI to the internet; restrict access with segmentation, VPN, allowlists, and other OT network controls.
- Implement the vendor's hardening guidance and CISA ICS defense-in-depth recommendations for the affected environment.
- Monitor for unauthorized WebHMI access or command activity and coordinate with Schneider Electric support if remediation is unclear.
Evidence notes
The supplied corpus includes the CISA CSAF advisory ICSA-25-077-03 and Schneider Electric Security and Safety Notice SEVD-2025-070-03, both dated 2025-03-11. Those sources state that WebHMI version 4.1.0.0 and prior, as used with EPAS User Interface version 2.6.30.19 and prior or as a default component of EMO-L, may permit unauthorized command execution if default password credentials were not changed on first use. They also note that the default username is not displayed correctly in the WebHMI interface. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Official resources
-
CVE-2025-1960 CVE record
CVE.org
-
CVE-2025-1960 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory date used for this CVE: 2025-03-11T04:00:00Z. The CVE was published and modified the same day in the supplied timeline. No KEV entry was supplied.