CVE-2025-1960
published 2025-03-12CVE-2025-1960: CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could cause an attacker to execute unauthorized commands when a…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.50%
38.8th percentile
CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could cause an
attacker to execute unauthorized commands when a system’s default password credentials have not been
changed on first use. The default username is not displayed correctly in the WebHMI interface.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| schneider_electric | webhmi_deployed_with_ecostruxure_power_automation_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target product is WebHMI v4.1.0.0 and prior, deployed with EcoStruxure Power Automation System versions 2.6.30.19 and prior. Exploitation involves use of default credentials where the default username is not displayed correctly in the WebHMI interface. ↗
- →Exploitation is network-accessible with no authentication required (CVSS PR:N, UI:N). Prioritize detection of unauthenticated remote login attempts against WebHMI interfaces exposed on the network. ↗
- →WebHMI should not be internet-exposed. Detect and alert on any WebHMI interface reachable from outside the OT/ICS network perimeter. ↗
- ·The vulnerability is only exploitable when default credentials have not been changed on first use. The default username is silently misconfigured — it is not displayed correctly in the WebHMI interface, meaning administrators may be unaware of its existence. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Schneider Electric EcoStruxure Power Automation System
cisa_ics·2025-03-18·CVSS 9.8
[CRITICAL] Schneider Electric EcoStruxure Power Automation System
ICS Advisory
##
Schneider Electric EcoStruxure Power Automation System
Release DateMarch 18, 2025
Alert CodeICSA-25-077-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.2
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Schneider Electric
- Equipment: WebHMI – Deployed with EcoStruxure Power Automation System
- Vulnerability: Initialization of a Resource with an Insecure Default
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow unauthorized access to the underlying software application running WebHMI.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Schneider Electric reports the following products are affected because
GHSA
GHSA-5mrq-42cr-23mg: CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could cause an
attacker to execute unauthorized commands whe
ghsa_unreviewed·2025-03-12
CVE-2025-1960 [CRITICAL] CWE-1188 GHSA-5mrq-42cr-23mg: CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could cause an
attacker to execute unauthorized commands whe
CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could cause an
attacker to execute unauthorized commands when a system’s default password credentials have not been
changed on first use. The default username is not displayed correctly in the WebHMI interface.
No detection rules found.
No public exploits indexed.
2025-03-12
Published