Deserialization in Schneider Electric Ecostruxure™ Power Monitoring Expert (Pme)

CVE-2025-11739

CWE‑502: Deserialization of Untrusted Data vulnerability exists that could cause arbitrary code execution with administrative privileges when a locally authenticated attacker sends a crafted data stream, triggering unsafe deserialization.

Vulnerability class: Insecure Deserialization

EPSS: 0.002 (39.1th percentile) — read the EPSS interpretation.

Affected products

Schneider Electric Ecostruxure™ Power Monitoring Expert (Pme) — versions Version 2022, Version 2023, Version 2023 R2
Schneider Electric Ecostruxure™ Power Operation (Epo) Advanced Reporting And Dashboards Module — versions Version 2022, Version 2024

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

download.schneider-electric.com/files