Hard-Coded Password in Schneider Electric EcoStruxure Data Center Expert Allows Remote Code Execution
A hard-coded password vulnerability (CVE-2025-13957) in Schneider Electric's EcoStruxure Data Center Expert allows authenticated remote attackers to execute arbitrary code via the PostgreSQL service.
Schneider Electric has disclosed a critical vulnerability in its EcoStruxure Data Center Expert (DCE) software that could allow authenticated remote attackers to execute arbitrary code. The flaw, tracked as CVE-2025-13957 and reported by researcher hassan ali, carries a CVSS score of 8.8 and stems from the use of hard-coded credentials in the product's PostgreSQL service.
The vulnerability resides in the postgres service, which listens on TCP port 5432 by default. According to the advisory published by Zero Day Initiative (ZDI-26-212), the issue results from the use of hard-coded credentials that an attacker can leverage to gain code execution in the context of the service account. While authentication is required to exploit the flaw, the presence of static credentials means that any authenticated user could potentially escalate privileges or move laterally within the affected system.
EcoStruxure Data Center Expert is a widely deployed infrastructure management platform used by data center operators to monitor and control power, cooling, and environmental systems. The software is critical for maintaining uptime and operational efficiency in enterprise data centers, making any vulnerability that allows remote code execution particularly concerning. An attacker who successfully exploits CVE-2025-13957 could potentially disrupt data center operations, exfiltrate sensitive monitoring data, or use the compromised system as a pivot point for further attacks.
Schneider Electric has released a security update to address the vulnerability, detailed in advisory SEVD-2026-069-05. The update is available for download from the company's support portal. The disclosure timeline shows that the vulnerability was reported to Schneider Electric on February 2, 2026, with the coordinated public release occurring on March 16, 2026. Organizations using EcoStruxure Data Center Expert are strongly advised to apply the patch immediately.
This vulnerability is part of a broader pattern of hard-coded credential issues in industrial control system (ICS) software. Hard-coded credentials are a well-known security anti-pattern that violates the principle of least privilege and can provide attackers with persistent, difficult-to-remediate access. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly warned about such flaws in ICS products, and they are frequently targeted in both targeted attacks and broad scanning campaigns.
The ZDI advisory notes that the vulnerability was discovered through responsible disclosure and that Schneider Electric has cooperated in the coordinated release. The researcher hassan ali has been credited for reporting the flaw. As of the advisory date, there is no public evidence of active exploitation, but the availability of detailed technical information in the advisory could prompt threat actors to develop exploits.
Data center operators and managed service providers using EcoStruxure Data Center Expert should prioritize patching, especially for systems exposed to the internet or accessible from untrusted networks. In addition to applying the update, organizations should restrict network access to the PostgreSQL service to only authorized management hosts and implement strong authentication mechanisms where possible. The use of network segmentation and monitoring for unusual database connections can also help detect potential exploitation attempts.