High

Hard-coded Credentials RCE in Schneider Electric EcoStruxure Data Center Expert

IdentifiersCVE-2025-13957CWE-798· Use of Hard-coded Credentials

CVE-2025-13957 is a high-severity vulnerability in Schneider Electric EcoStruxure Data Center Expert caused by the use of hard-coded credentials in the product’s postgres service. The issue is associated with CWE-798 (Use of Hard-coded Credentials). According to the provided content, the postgres service listens on TCP port 5432 by default, and exploitation is possible when SOCKS Proxy is enabled and valid administrator credentials and PostgreSQL database credentials are known. A remote attacker can authenticate to the exposed service and leverage the hard-coded credential condition to execute arbitrary code on the affected installation in the context of the service account. Schneider Electric indicates affected versions are EcoStruxure IT/Data Center Expert versions less than or equal to 9.0, and the issue is also referenced as ZDI-26-212.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in remote code execution on the affected EcoStruxure Data Center Expert system in the context of the postgres service account. The vulnerability can also lead to information disclosure. Given the CVSS vector provided (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the expected impact includes compromise of confidentiality, integrity, and availability of the affected system and potentially associated application data stored in or accessible through the database-backed service.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by ensuring SOCKS Proxy remains disabled, as the content states it is disabled by default and exploitation requires it to be enabled. Restrict network access to the postgres service on TCP port 5432 to trusted administrative hosts only, prevent untrusted remote access, and protect/rotate any administrator and PostgreSQL credentials where possible. Additional compensating controls should follow Schneider Electric’s published guidance in SEVD-2026-069-05.

Remediation

Patch, then assume compromise.

Schneider Electric has issued an update to correct the vulnerability. Affected organizations should upgrade EcoStruxure Data Center Expert to a vendor-fixed version and follow Schneider Electric security notice SEVD-2026-069-05 for product-specific remediation guidance. If running versions less than or equal to 9.0, prioritize patching due to the remote code execution impact.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

cert ssiNews

Mar 10, 2026

Multiples vulnérabilités dans les produits Schneider Electric - CERT-FR

One of multiple Schneider Electric product vulnerabilities referenced by the advisory; specific technical impact is not detailed in the provided content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3