1. EXECUTIVE SUMMARY
- CVSS v4 9.2
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Schneider Electric
- Equipment: WebHMI – Deployed with EcoStruxure Power Automation System
- Vulnerability: Initialization of a Resource with an Insecure Default
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow unauthorized access to the underlying software application running WebHMI.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports the following products are affected because they use WebHMI v4.1.0.0 and prior:
- EcoStruxure Power Automation System: Versions 2.6.30.19 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 Initialization of a Resource with an Insecure Default CWE-1188
An initialization of a resource with an insecure default vulnerability exists that could cause an attacker to execute unauthorized commands when a system’s default password credentials have not been changed on first use. The default username is not displayed correctly in the WebHMI interface.
CVE-2025-1960 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-1960. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
<
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: