CVE-2025-13905
📋 TL;DR
A local privilege escalation vulnerability exists where normal users can modify executable service binaries in the installation folder. When the service restarts, these modified binaries execute with elevated privileges, potentially allowing attackers to gain reverse shell access. This affects systems running vulnerable Schneider Electric software where local users have write access to installation directories.
💻 Affected Systems
- Schneider Electric software with vulnerable service installations
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, persistent backdoors, data exfiltration, and lateral movement across the network.
Likely Case
Local privilege escalation leading to unauthorized administrative access on affected systems, potentially enabling further attacks.
If Mitigated
Limited impact with proper file permissions and access controls preventing unauthorized binary modifications.
🎯 Exploit Status
Exploitation requires local user access and ability to modify files in installation directory. Service restart may occur naturally or be triggered by various events.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Schneider Electric advisory SEVD-2026-013-02
Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-02.pdf
Restart Required: Yes
Instructions:
1. Review Schneider Electric advisory SEVD-2026-013-02. 2. Download and apply the appropriate patch for your product version. 3. Restart affected services. 4. Verify file permissions are properly set post-patch.
🔧 Temporary Workarounds
Restrict installation directory permissions
allRemove write permissions for non-administrative users on service installation directories
Windows: icacls "C:\Program Files\Schneider\*" /deny Users:(OI)(CI)W
Linux: chmod -R o-w /opt/schneider/
Implement file integrity monitoring
allMonitor for unauthorized changes to executable files in installation directories
🧯 If You Can't Patch
- Implement strict access controls to prevent non-admin users from writing to installation directories
- Monitor service restart events and audit file modifications in installation folders
🔍 How to Verify
Check if Vulnerable:
Check if non-administrative users have write permissions to Schneider Electric installation directories and if services run with elevated privileges.Check Version:
Check product documentation for version verification commands specific to each Schneider Electric product.Verify Fix Applied:
Verify patch installation via version check and confirm that non-admin users no longer have write access to installation directories.📡 Detection & Monitoring
Log Indicators:
- Unexpected service restarts
- File modification events in installation directories
- New reverse shell connections from service accounts
Network Indicators:
- Outbound connections from service accounts to unexpected destinations
- Reverse shell traffic patterns
SIEM Query:
EventID=4688 OR EventID=4689 AND (ProcessName contains 'schneider' OR CommandLine contains 'reverse') OR FileModification in ('C:\Program Files\Schneider\*', '/opt/schneider/*')