Schneider Electric's EcoStruxure IT Data Center Expert software for data center equipment has been affected by six significant security flaws, which could be exploited to facilitate information leaks and remote access in critical infrastructure, according to GBHackers News.
Most severe of the vulnerabilities is the critical operating system command injection issue, tracked as CVE-2025-50121, which could be leveraged for remote code execution. On the other hand, the insufficient entropy bug, tracked as CVE-2025-50122; code injection bug, tracked as CVE-2025-50123; and improper privilege management vulnerability, tracked as CVE-2025-50124, could facilitate root password reverse-engineering, RCE, and privilege escalation, respectively. Attackers could also abuse the software's server-side request forgery issue, tracked as CVE-2025-50125, and XML external entity flaw, tracked as CVE-2025-6438, for RCE and unauthorized file access, respectively. Organizations using EcoStruxure IT Data Center Expert have been urged to promptly implement version 9.0 of the software to remediate the issues.
Most severe of the vulnerabilities is the critical operating system command injection issue, tracked as CVE-2025-50121, which could be leveraged for remote code execution. On the other hand, the insufficient entropy bug, tracked as CVE-2025-50122; code injection bug, tracked as CVE-2025-50123; and improper privilege management vulnerability, tracked as CVE-2025-50124, could facilitate root password reverse-engineering, RCE, and privilege escalation, respectively. Attackers could also abuse the software's server-side request forgery issue, tracked as CVE-2025-50125, and XML external entity flaw, tracked as CVE-2025-6438, for RCE and unauthorized file access, respectively. Organizations using EcoStruxure IT Data Center Expert have been urged to promptly implement version 9.0 of the software to remediate the issues.
