CVE-2025-11739 — Deserialization of Untrusted Data in Electric Ecostruxure Power Monitoring Expert

CWE-502 — Deserialization of Untrusted Data3 documents3 sources

Severity

8.5HIGHNVD

EPSS

0.1%

top 75.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider Electric Ecostruxure Power Monitoring Expert Schneider Electric Ecostruxure Power Operation Advanced Reporting AND Dashboards Module

Timeline

PublishedMar 10

Description

CWE‑502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locally authenticated attacker sends a crafted data stream, triggering unsafe deserialization.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5schneider_electric/ecostruxure_power_monitoring_expert5 versions+4

▶CVEListV5schneider_electric/ecostruxure_power_operation_advanced_reporting_and_dashboards_moduleVersion 2022, Version 2024+1

🔴Vulnerability Details

CVEList

CVE-2025-11739: CWE‑502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locall↗2026-03-10

▶

GHSA

GHSA-8hcj-8666-8jwh: CWE‑502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locall↗2026-03-10

▶