CVE-2025-2440 Schneider Electric CVE debrief

Who should care

Asset owners, OT/ICS administrators, and maintenance teams responsible for Schneider Electric Trio™ Q Licensed Data Radio deployments, especially where devices may be physically accessible or decommissioned.

Technical summary

The advisory identifies a CWE-922 insecure storage of sensitive information condition affecting Trio™ Q Licensed Data Radio versions prior to 2.7.2. The stated exposure path is physical access combined with advanced filesystem knowledge, followed by setting the radio into factory default mode, which could allow access to confidential data. The published CVSS vector is AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, reflecting the physical-access requirement and confidentiality impact.

Defensive priority

Medium priority. The issue requires physical access and high attack complexity, but it can expose confidential data; remediation is available and should be scheduled promptly for exposed or sensitive deployments.

Recommended defensive actions

• Upgrade Trio™ Q Licensed Data Radio firmware to version 2.7.2 or later, following Schneider Electric's firmware updating and maintenance instructions.
• Verify firmware integrity using the hash published with the release notes before and after installation.
• Restrict physical access to installed radios and secure units during storage, maintenance, and decommissioning.
• If immediate upgrading is not possible, apply the vendor mitigation guidance in the advisory and user manual to reduce exposure.

Evidence notes

CISA's CSAF advisory ICSA-25-107-01, published on 2025-04-08, lists Schneider Electric Trio™ Q Licensed Data Radio version prior to 2.7.2 as affected. The advisory describes the issue as CWE-922 and provides CVSS v3.1 vector CVSS:3.1:AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. Schneider Electric remediation guidance states that firmware v2.7.2 includes fixes and that installation should follow the Trio Q Series Data Radio User Manual.

Official resources