Aggregates CVE and security vulnerability intelligence across all Schneider Electric-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk memory corruption and vendor risk sql injection and related security problems, affecting vendor surface software deployment and vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-6332 | CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized attacker accesses the source code for editing or compiling it. | [email protected] | 6.8 | 0.01% | 2026-05-14 | 2026-05-27 |
| CVE-2026-2405 | CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /helpabout requests. | [email protected] | 5.3 | 0.05% | 2026-04-14 | 2026-04-22 |
| CVE-2026-2404 | CWE-116 Improper Encoding or Escaping of Output vulnerability exists that could cause log injection and forged log when an attacker alters the POST /j_security check request payload. | [email protected] | 6.9 | 0.06% | 2026-04-14 | 2026-04-22 |
| CVE-2026-2403 | CWE-1284 Improper Validation of Specified Quantity in Input vulnerability exists that could cause Event and Data Log truncation impacting log integrity when a Web Admin user alters the POST /logsettings request payload. | [email protected] | 5.3 | 0.08% | 2026-04-14 | 2026-04-22 |
| CVE-2026-2402 | CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on a sequence of requests to multiple endpoints. | [email protected] | 6.9 | 0.05% | 2026-04-14 | 2026-04-22 |
| CVE-2026-2401 | CWE-532 Insertion of Sensitive Information into Log File vulnerability exists that could cause confidential information to be exposed when a Web Admin user executes a malicious file provided by an attacker. | [email protected] | 2.4 | 0.01% | 2026-04-14 | 2026-04-22 |
| CVE-2026-2400 | CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset when a Web Admin user alters the POST /setPCBEDesc request payload. | [email protected] | 5.3 | 0.05% | 2026-04-14 | 2026-04-22 |
| CVE-2026-2399 | CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause critical files overwritten with text data when a Web Admin user alters the POST /REST/upssleep request payload. | [email protected] | 6.9 | 0.02% | 2026-04-14 | 2026-04-22 |
| CVE-2025-13845 | CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody. | [email protected] | 8.4 | 0.02% | 2026-01-15 | 2026-04-27 |
| CVE-2025-13844 | CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody. | [email protected] | 8.4 | 0.02% | 2026-01-15 | 2026-03-03 |
| CVE-2024-9409 | CWE-400: An Uncontrolled Resource Consumption vulnerability exists that could cause the device to become unresponsive resulting in communication loss when a large amount of IGMP packets is present in the network. | [email protected] | 8.7 | 0.27% | 2024-11-13 | 2024-11-19 |
| CVE-2024-10575 | CWE-862: Missing Authorization vulnerability exists that could cause unauthorized access when enabled on the network and potentially impacting connected devices. | [email protected] | 10.0 | 0.40% | 2024-11-13 | 2024-11-19 |
| CVE-2024-8422 | CWE-416: Use After Free vulnerability exists that could cause arbitrary code execution, denial of service and loss of confidentiality & integrity when application user opens a malicious Zelio Soft 2 project file. | [email protected] | 7.8 | 0.12% | 2024-10-08 | 2024-10-16 |
| CVE-2024-8306 | CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity and availability of the workstation when non-admin authenticated user tries to perform privilege escalation by tampering with the binaries. | [email protected] | 7.8 | 0.10% | 2024-09-11 | 2024-09-18 |
| CVE-2024-6407 | CWE-200: Information Exposure vulnerability exists that could cause disclosure of credentials when a specially crafted message is sent to the device. | [email protected] | 9.8 | 0.39% | 2024-07-11 | 2024-11-21 |
| CVE-2024-6528 | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause a vulnerability leading to a cross-site scripting condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing the injected payload. | [email protected] | 5.4 | 0.57% | 2024-07-11 | 2024-11-21 |
| CVE-2024-5681 | CWE-20: Improper Input Validation vulnerability exists that could cause local denial-of-service, privilege escalation, and potentially kernel execution when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver. | [email protected] | 7.8 | 0.11% | 2024-07-11 | 2024-11-21 |
| CVE-2024-5680 | CWE-129: Improper Validation of Array Index vulnerability exists that could cause local denial-of-service when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver. | [email protected] | 7.1 | 0.07% | 2024-07-11 | 2024-11-21 |
| CVE-2024-5679 | CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, or kernel memory leak when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver. | [email protected] | 7.1 | 0.06% | 2024-07-11 | 2024-11-21 |
| CVE-2024-2602 | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could result in remote code execution when an authenticated user executes a saved project file that has been tampered by a malicious actor. | [email protected] | 7.3 | 4.46% | 2024-07-11 | 2024-11-21 |