CVE-2025-13905 — Incorrect Default Permissions in Electric Ecostruxure Process Expert

CWE-276 — Incorrect Default Permissions3 documents3 sources

Severity

7.0HIGHNVD

EPSS

0.0%

top 96.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Schneider Electric Ecostruxure Process Expert Schneider Electric Ecostruxure Process Expert FOR Aveva System Platform

Timeline

PublishedJan 29

Description

CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executable service binaries are modified in the installation folder by a local user with normal privilege upon service restart.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5schneider_electric/ecostruxure_process_expertVersions prior to 2025

▶CVEListV5schneider_electric/ecostruxure_process_expert_for_aveva_system_platformAll versions

🔴Vulnerability Details

GHSA

GHSA-pfjm-7gj6-rrrx: CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executabl↗2026-01-29

▶

CVEList

CVE-2025-13905: CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executabl↗2026-01-29

▶