CVE-2025-11566
📋 TL;DR
This vulnerability allows attackers on the local network to brute-force authentication on the /REST/shutdownnow endpoint, potentially gaining unauthorized access to user accounts. It affects Schneider Electric systems with exposed REST APIs. Attackers can perform unlimited authentication attempts without rate limiting.
💻 Affected Systems
- Schneider Electric systems with /REST/shutdownnow endpoint
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via unauthorized administrative access leading to data theft, system shutdown, or ransomware deployment.
Likely Case
Unauthorized access to user accounts allowing data exfiltration, configuration changes, or service disruption.
If Mitigated
Limited impact with proper network segmentation and authentication controls preventing brute-force attempts.
🎯 Exploit Status
Exploitation requires network access and ability to send HTTP requests to the endpoint; brute-forcing is straightforward
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-315-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-315-01.pdf
Restart Required: Yes
Instructions:
1. Review vendor advisory SEVD-2025-315-01 2. Download and apply recommended patches 3. Restart affected systems 4. Verify patch application
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict access to the /REST/shutdownnow endpoint using firewall rules
iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP
Authentication Rate Limiting
allImplement rate limiting on authentication attempts using web application firewall or proxy
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems from untrusted networks
- Deploy web application firewall with brute-force protection rules for the /REST/shutdownnow endpoint
🔍 How to Verify
Check if Vulnerable:
Test if you can send multiple authentication requests to /REST/shutdownnow endpoint without being blockedCheck Version:
Check system documentation or vendor portal for version informationVerify Fix Applied:
Verify authentication attempts are now rate-limited or blocked after excessive failures📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from single IP
- Unusual access patterns to /REST/shutdownnow
Network Indicators:
- High volume of POST requests to /REST/shutdownnow endpoint
- Authentication brute-force patterns
SIEM Query:
source="web_logs" AND uri="/REST/shutdownnow" AND status=401 | stats count by src_ip | where count > 10