Schneider Electric Plant iT/Brewmaxx RCE via Multiple Redis Vulnerabilities

Critical Vulnerabilities in Schneider Electric Plant iT/Brewmaxx 9.60+ RCE Mitigation

Runtime Rebel is issuing a critical advisory regarding multiple high-severity vulnerabilities discovered in Schneider Electric Plant iT/Brewmaxx, versions 9.60 and above. These flaws, if exploited, could lead to privilege escalation and ultimately remote code execution (RCE) within industrial control systems (ICS). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory, ICSA-26-083-03, detailing these issues and providing urgent mitigation guidance. Given the deployment of this software in critical infrastructure sectors such as Energy, Critical Manufacturing, and Commercial Facilities worldwide, immediate action from asset owners and operators is paramount.

Technical Analysis of Redis Vulnerabilities

The core of these vulnerabilities lies within the affected product’s use of Redis, an open-source, in-memory database. All versions of Redis 8.2.1 and below, as integrated into Plant iT/Brewmaxx, are susceptible to various manipulation techniques via specially crafted Lua scripts. Successful exploitation requires an authenticated user, but the potential impact—ranging from RCE to denial of service—underscores the severe risk these vulnerabilities pose to operational technology (OT) environments.

Specifically, four CVEs have been identified:

• CVE-2025-49844: This is a Use-After-Free vulnerability, rated with a CVSS v3.1 score of 9.9 (Critical). An authenticated attacker can manipulate the garbage collector with a specially crafted Lua script, triggering the use-after-free condition. This can lead directly to RCE, allowing an adversary to execute arbitrary code on the affected system. This vulnerability presents the most immediate and severe threat. Understanding the mechanics of CVE-2025-49844 Redis Lua script exploit is crucial for a complete defense strategy.
• CVE-2025-46817: An Integer Overflow or Wraparound vulnerability, carrying a CVSS v3.1 score of 7.0 (High). Similar to the previous CVE, an authenticated user can leverage a specially crafted Lua script to cause an integer overflow. This can also result in RCE, making it a significant risk vector.
• CVE-2025-46818: Classified as an Improper Control of Generation of Code (‘Code Injection’), this vulnerability has a CVSS v3.1 score of 6.0 (Medium). An authenticated attacker can manipulate different Lua objects to execute their own code in the context of another user, leading to unauthorized actions or further compromise.
• CVE-2025-46819: Another Integer Overflow or Wraparound, with a CVSS v3.1 score of 6.3 (Medium). This flaw allows an authenticated user, again via a crafted Lua script, to read out-of-bound data or crash the server, resulting in information disclosure or a denial of service (DDoS).

The potential for these vulnerabilities to be chained, starting with an authenticated user and escalating to full RCE in an OT environment, poses a significant threat to operational continuity and safety.

Actionable Recommendations and Mitigations

To protect against the exploitation of these vulnerabilities in Schneider Electric Plant iT/Brewmaxx, organizations must implement the following remediations as detailed by Schneider Electric and CISA:

• Immediate Patching: The most critical step is to install Patch ProLeiT-2025-001. This patch is available via ProLeiT Support and directly addresses the underlying vulnerabilities.
• Secure Redis Configuration:
  • After applying the patch, disable the ‘eval’ commands in Redis on all affected components, including application servers, VisuHub, engineering workstations, and workstations with emergency mode functionality.
  • Force the usage of secure Redis configuration templates within system settings, as outlined in the patch manual.
  • Restart all patched servers and workstations to ensure changes are applied.
• Network Segmentation and Isolation:
  • Strictly segment control and safety system networks, placing them behind robust firewalls and isolating them from enterprise business networks. This practice is a cornerstone of industrial control systems cybersecurity best practices.
  • Implement physical access controls to prevent unauthorized personnel from interacting with industrial control systems, components, and networks.
• Secure Device Management:
  • Ensure all controllers are in locked cabinets and never left in “Program” mode.
  • Prohibit connecting programming software to any network other than its intended, isolated network.
• Data Exchange and Remote Access Controls:
  • Scan all portable data exchange methods (e.g., USB drives, CDs) before use within isolated networks.
  • Sanitize mobile devices that have connected to external networks before allowing them to connect to safety or control networks.
  • Minimize network exposure for all control system devices; they should not be directly accessible from the internet.
  • When remote access is necessary, utilize secure methods such as virtual private networks (VPNs), ensuring they are updated to the latest versions and are as secure as the connected devices.

These layered defenses, combined with timely patching and adherence to security best practices, are essential to mitigate the risk posed by these vulnerabilities. Organizations should refer to Schneider Electric’s security notification “SEVD-2026-013-01” for further vendor-specific guidance.