Analysis Summary

CVE-2025-1960 CVSS:9.8

Initialization of a Resource with an Insecure Default vulnerability exists that could cause an attacker to execute unauthorized commands when a system’s default password credentials have not been changed on first use. The default username is not displayed correctly in the WebHMI interface.

CVE-2025-0813 CVSS:7

Improper Authentication vulnerability exists that could cause an Authentication Bypass when an unauthorized user without permission rights has physical access to the EPAS-UI computer and is able to reboot the workstation and interrupt the normal boot process.

CVE-2025-2002 CVSS:6

Insertion of Sensitive Information into Log Files vulnerability exists that could cause the disclosure of FTP server credentials when the FTP server is deployed, and the device is placed in debug mode by an administrative user and the debug files are exported from the device.

Impact

• Gain Access
• Security Bypass
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2025-1960

• CVE-2025-0813

• CVE-2025-2002

Affected Vendors

Affected Products

• Schneider Electric EcoStruxure Power Automation System - WebHMI v4.1.0.0 and EPAS 2.6.30.19
• Schneider Electric EcoStruxure Power Automation System User Interface (EPAS-UI) - Secured v2.1 - v2.9
• Schneider Electric EcoStruxure Panel Server v2.0 and prior

Remediation

Refer to Schneider Electric Website for patch, upgrade, or suggested workaround information.

CVE-2025-1960

CVE-2025-0813

CVE-2025-2002