CVE-2025-13957: Hard-coded Credentials in Schneider EcoStruxure DCE

Overview of Hard-Coded Credentials in EcoStruxure Data Center Expert

Schneider Electric has identified and addressed a significant vulnerability, CVE-2025-13957, affecting its EcoStruxure IT Data Center Expert (DCE) product. This CVE involves the use of hard-coded credentials, which, under specific conditions, could allow for information disclosure and remote code execution (RCE). The vulnerability, tracked as CWE-798 (Use of Hard-coded Credentials), carries a CVSS v3.1 Base Score of 7.2, rated as HIGH severity. Organizations utilizing EcoStruxure DCE are strongly advised to review their systems and apply the recommended remediations, as detailed in CISA’s advisory.

EcoStruxure IT Data Center Expert is a widely deployed scalable monitoring software, crucial for collecting, organizing, and distributing critical device information across data center environments, often within critical infrastructure sectors such as Commercial Facilities, Energy, Food and Agriculture, Government Services, and Transportation Systems worldwide. A compromise of such a system can lead to severe operational disruption and unauthorized access to sensitive system data, underscoring the urgency of this advisory.

Technical Analysis: The Schneider Electric EcoStruxure Data Center Expert 9.0 Vulnerability

The core of the issue in CVE-2025-13957 lies within hard-coded credentials present in EcoStruxure IT Data Center Expert versions 9.0 and prior. While the hard-coded credentials themselves are a significant flaw, exploitation requires several preconditions, which mitigate the immediate widespread risk but do not diminish its potential impact once these conditions are met. Specifically, an attacker would need:

• Administrator Credentials: The attacker must possess administrator credentials for the DCE system.
• Known PostgreSQL Database Credentials: Access to the PostgreSQL database credentials is also a prerequisite.
• SOCKS Proxy Enabled: The SOCKS Proxy feature within DCE must be enabled. Crucially, this feature is disabled by default, meaning an explicit configuration change is required to expose the system to this aspect of the vulnerability.

When these conditions converge, the vulnerability could be exploited to achieve information disclosure, allowing attackers to access sensitive data managed by DCE. Furthermore, successful exploitation could lead to RCE, granting attackers the ability to execute arbitrary code on the affected system. This level of compromise could enable Lateral Movement within the network, further data exfiltration, or even the deployment of ransomware or other malicious payloads, particularly concerning for critical infrastructure operations.

The fact that these prerequisites exist (known administrator and database credentials, and an enabled SOCKS Proxy) means that initial access or insider threat scenarios could leverage this vulnerability for significant impact. Organizations should assume that an attacker with existing high-level access would seek to enable features like SOCKS Proxy if it aids their objectives, thus transforming a latent vulnerability into an active threat vector.

Actionable Recommendations and Mitigations for CVE-2025-13957

Security professionals responsible for EcoStruxure IT Data Center Expert deployments must prioritize remediation efforts to mitigate the risks posed by CVE-2025-13957. Addressing this Schneider Electric EcoStruxure Data Center Expert 9.0 vulnerability is critical for maintaining operational integrity and data confidentiality.

Primary Remediation: Update to Version 9.1

The most effective how to fix EcoStruxure IT Data Center Expert hard-coded credentials vulnerability is to upgrade to EcoStruxure IT Data Center Expert version 9.1. This version includes a fix for the identified vulnerability and is available for download directly from Schneider Electric. Applying this vendor fix should be the immediate priority for all affected installations.

Interim Mitigation Strategies

If immediate patching to version 9.1 is not feasible, organizations should implement the following interim mitigation for CVE-2025-13957:

• Harden the DCE Instance: Adhere strictly to the cybersecurity best practices documented in the EcoStruxure IT Data Center Expert Security Handbook. This involves a comprehensive review of system configurations, access controls, and network settings to reduce the overall attack surface.
• Disable SOCKS Proxy: Ensure that the SOCKS Proxy feature remains disabled. As this feature is off by default, administrators should verify its current status and ensure it has not been inadvertently or maliciously enabled.

General Cybersecurity Best Practices

Beyond the specific mitigations for CVE-2025-13957, Schneider Electric and CISA recommend broader cybersecurity measures for all Industrial Control Systems (ICS):

• Network Segmentation: Isolate control and safety system networks from business networks using firewalls. This creates a defense-in-depth architecture, limiting the potential impact of a breach in one segment.
• Physical Security: Implement robust physical controls to prevent unauthorized personnel access to industrial control systems, components, and networks.
• Secure Device Configuration: Place all controllers in locked cabinets and never leave them in ‘Program’ mode. Avoid connecting programming software to networks other than their intended purpose.
• Sanitize Mobile Data Exchange: Scan all mobile data exchange methods (e.g., USB drives) before use on connected systems.
• Minimize Network Exposure: Ensure control system devices are not directly accessible from the internet. When remote access is necessary, utilize secure methods such as Virtual Private Networks (VPNs), ensuring VPNs are up-to-date and securely configured. Remember that VPN security is tied to the security of its connected devices.

By combining the specific update to version 9.1 with diligent application of security best practices, organizations can significantly reduce their exposure to this and similar vulnerabilities, protecting their critical infrastructure operations.