Struxureware Data Center Expert
CVEs (25)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-8531 | Hig | 0.47 | 7.2 | 0.00 | Oct 11, 2024 | CWE-347: Improper Verification of Cryptographic Signature vulnerability exists that could compromise the Data Center Expert software when an upgrade bundle is manipulated to include arbitrary bash scripts that are executed as root. | ||
| CVE-2026-8045 | Hig | 0.46 | — | 0.00 | Jun 9, 2026 | CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure of server-side file contents when an attacker with a Data Center Expert user account submits crafted XML payloads to SOAP service endpoints. | ||
| CVE-2018-3639 | Med | 0.44 | 5.5 | 0.61 | May 22, 2018 | Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis,… | ||
| CVE-2017-8371 | Med | 0.44 | 6.8 | 0.01 | Apr 30, 2017 | Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses cleartext RAM storage for passwords, which might allow remote attackers to obtain sensitive information via unspecified vectors. | ||
| CVE-2025-13957 | 0.00 | — | 0.01 | Mar 10, 2026 | CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL database credentials are known. SOCKS Proxy is disabled by default. | |||
| CVE-2023-37199 | 0.00 | — | 0.01 | Jul 12, 2023 | A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored. | |||
| CVE-2023-37198 | 0.00 | — | 0.01 | Jul 12, 2023 | A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages. | |||
| CVE-2023-37197 | 0.00 | — | 0.01 | Jul 12, 2023 | A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions… | |||
| CVE-2023-37196 | 0.00 | — | 0.01 | Jul 12, 2023 | A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when… | |||
| CVE-2023-25555 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow a user that knows the credentials to execute unprivileged shell commands on the appliance over SSH. … | |||
| CVE-2023-25553 | 0.00 | — | 0.00 | Apr 18, 2023 | A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the webserver. Affected products: StruxureWare Data Center Expert (V7.9.2 and… | |||
| CVE-2023-25551 | 0.00 | — | 0.00 | Apr 18, 2023 | A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and… | |||
| CVE-2023-25550 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows remote code execution via the “hostname” parameter when maliciously crafted hostname syntax is entered. Affected products: StruxureWare Data Center… | |||
| CVE-2023-25549 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows for remote code execution when using a parameter of the DCE network settings endpoint. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||
| CVE-2023-25554 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that allows a local privilege escalation on the appliance when a maliciously crafted Operating System command is entered on the device. Affected… | |||
| CVE-2023-25552 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized content, changes or deleting of content, or performing unauthorized functions when tampering the Device File Transfer settings on DCE endpoints. Affected products:… | |||
| CVE-2023-25548 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device credentials on specific DCE endpoints not being properly secured when a hacker is using a low privileged user. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||
| CVE-2023-25547 | 0.00 | — | 0.01 | Apr 18, 2023 | A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||
| CVE-2022-32519 | 0.00 | — | 0.00 | Jan 30, 2023 | A CWE-257: Storing Passwords in a Recoverable Format vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. Affected Products: Data Center Expert (Versions prior to V7.9.0) | |||
| CVE-2022-32520 | 0.00 | — | 0.01 | Jan 30, 2023 | A CWE-522: Insufficiently Protected Credentials vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. This CVE is unique from CVE-2022-32518. Affected Products: Data Center Expert (Versions prior to… |
- risk 0.47cvss 7.2epss 0.00
CWE-347: Improper Verification of Cryptographic Signature vulnerability exists that could compromise the Data Center Expert software when an upgrade bundle is manipulated to include arbitrary bash scripts that are executed as root.
- risk 0.46cvss —epss 0.00
CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure of server-side file contents when an attacker with a Data Center Expert user account submits crafted XML payloads to SOAP service endpoints.
- risk 0.44cvss 5.5epss 0.61
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis,…
- risk 0.44cvss 6.8epss 0.01
Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses cleartext RAM storage for passwords, which might allow remote attackers to obtain sensitive information via unspecified vectors.
- CVE-2025-13957Mar 10, 2026risk 0.00cvss —epss 0.01
CWE-798: Use of Hard-coded Credentials vulnerability exists that could cause information disclosure and remote code execution when SOCKS Proxy is enabled, and administrator credentials and PostgreSQL database credentials are known. SOCKS Proxy is disabled by default.
- CVE-2023-37199Jul 12, 2023risk 0.00cvss —epss 0.01
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored.
- CVE-2023-37198Jul 12, 2023risk 0.00cvss —epss 0.01
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages.
- CVE-2023-37197Jul 12, 2023risk 0.00cvss —epss 0.01
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions…
- CVE-2023-37196Jul 12, 2023risk 0.00cvss —epss 0.01
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command ('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to access unauthorized content, change, or delete content, or perform unauthorized actions when…
- CVE-2023-25555Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow a user that knows the credentials to execute unprivileged shell commands on the appliance over SSH. …
- CVE-2023-25553Apr 18, 2023risk 0.00cvss —epss 0.00
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE endpoint through the logging capabilities of the webserver. Affected products: StruxureWare Data Center Expert (V7.9.2 and…
- CVE-2023-25551Apr 18, 2023risk 0.00cvss —epss 0.00
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and…
- CVE-2023-25550Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows remote code execution via the “hostname” parameter when maliciously crafted hostname syntax is entered. Affected products: StruxureWare Data Center…
- CVE-2023-25549Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows for remote code execution when using a parameter of the DCE network settings endpoint. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
- CVE-2023-25554Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that allows a local privilege escalation on the appliance when a maliciously crafted Operating System command is entered on the device. Affected…
- CVE-2023-25552Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-862: Missing Authorization vulnerability exists that could allow viewing of unauthorized content, changes or deleting of content, or performing unauthorized functions when tampering the Device File Transfer settings on DCE endpoints. Affected products:…
- CVE-2023-25548Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device credentials on specific DCE endpoints not being properly secured when a hacker is using a low privileged user. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
- CVE-2023-25547Apr 18, 2023risk 0.00cvss —epss 0.01
A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
- CVE-2022-32519Jan 30, 2023risk 0.00cvss —epss 0.00
A CWE-257: Storing Passwords in a Recoverable Format vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. Affected Products: Data Center Expert (Versions prior to V7.9.0)
- CVE-2022-32520Jan 30, 2023risk 0.00cvss —epss 0.01
A CWE-522: Insufficiently Protected Credentials vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. This CVE is unique from CVE-2022-32518. Affected Products: Data Center Expert (Versions prior to…
Page 1 of 2