CVE-2025-2441 Schneider Electric CVE debrief

Who should care

Industrial control system owners and operators using Schneider Electric Trio™ Q Licensed Data Radio devices, especially sites where equipment may be physically accessible to unauthorized personnel. OT security teams, maintenance staff, system integrators, and field technicians should also care because mitigation depends on firmware updating, physical security, and firmware verification.

Technical summary

The advisory describes a CWE-1188 incorrect initialization of resource condition in Schneider Electric Trio™ Q Licensed Data Radio devices. The affected scope is version prior to 2.7.2. The vulnerability is exploitable only with physical access and is associated with factory default mode, where not all data is correctly initialized. The documented impact is loss of confidentiality, and the published CVSS vector is AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6 medium).

Defensive priority

Moderate. Apply the vendor firmware fix promptly if these radios are deployed in accessible environments or handle sensitive data. The issue requires physical access, but the confidentiality impact is high, so devices in fielded or lightly protected locations should be prioritized.

Recommended defensive actions

• Upgrade Trio™ Q Licensed Data Radio firmware to version 2.7.2 or later using Schneider Electric's published update package.
• Follow Section 10 Part J of the Trio Q Series Data Radio User Manual to download, install, and verify the new firmware version.
• Verify installed firmware using the hash published with the release notes before deployment or return to service.
• Restrict physical access to deployed radios and place them in secure locations to reduce the chance of unauthorized interaction.
• Securely dispose of decommissioned radios to prevent unauthorized physical access to equipment and data.
• If immediate patching is not possible, apply the vendor's listed mitigations and document residual risk for affected assets.

Evidence notes

CISA's CSAF advisory ICSA-25-107-01 states that the issue affects Schneider Electric Trio™ Q Licensed Data Radio version prior to 2.7.2 and describes a CWE-1188 incorrect initialization of resource condition that can cause confidentiality loss when a malicious user with physical access sets the radio in factory default mode. The advisory lists CVSS 4.6 with vector CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. Schneider Electric's referenced security notice and firmware release materials identify v2.7.2 as the fix and instruct users to follow the manual's firmware update and verification steps. The enrichment provided here indicates the CVE is not in CISA KEV and no ransomware campaign use is known.

Official resources