Schneider Electric has issued urgent security advisories for critical memory-corruption vulnerabilities in its EcoStruxure Power Build Rapsody software, with researchers warning that successful exploitation could allow attackers to execute arbitrary code on affected systems. The vulnerabilities, tracked as CVE-2025-13844 and CVE-2025-13845, affect versions of the engineering software used for configuring and programming Schneider Electric's power management and protection devices. According to security researchers who discovered these flaws, specially crafted project files could trigger memory corruption when opened in vulnerable versions of Rapsody, potentially leading to complete system compromise.

Understanding the Vulnerabilities

The two CVEs represent serious security weaknesses in how EcoStruxure Power Build Rapsody handles project files. CVE-2025-13844 is described as an out-of-bounds write vulnerability that occurs when parsing certain project file structures, while CVE-2025-13845 involves improper input validation that could lead to memory corruption. Both vulnerabilities share a common attack vector: an attacker could craft a malicious project file and convince a user to open it, either through social engineering or by compromising legitimate project repositories. Once opened, the specially crafted file could trigger the memory corruption, potentially allowing the attacker to execute arbitrary code with the privileges of the user running Rapsody.

Industrial control system (ICS) security experts emphasize that these vulnerabilities are particularly concerning because Rapsody is used to configure critical power management systems in industrial, commercial, and infrastructure environments. A successful attack could potentially disrupt power monitoring and protection systems, though Schneider Electric notes that the vulnerabilities affect the engineering workstation software rather than the runtime systems themselves. The company has assigned CVSS v3.1 base scores of 7.8 to both vulnerabilities, classifying them as high severity due to the potential impact on confidentiality, integrity, and availability.

Affected Products and Versions

Schneider Electric's security advisory specifies that EcoStruxure Power Build Rapsody versions prior to 2.4.1 are vulnerable to these memory-corruption issues. The software is part of Schneider's broader EcoStruxure architecture for building management and industrial automation solutions. Rapsody specifically serves as configuration software for power monitoring and protection devices, including circuit breakers, power meters, and protection relays used in electrical distribution systems. Organizations using earlier versions for engineering and maintenance activities should immediately assess their exposure.

Industrial cybersecurity professionals note that while the immediate impact is limited to engineering workstations, the potential downstream effects could be significant. Compromised engineering stations could be used to create malicious configurations that are then deployed to field devices, potentially causing operational disruptions or safety issues. This attack pattern has been observed in previous ICS-targeting campaigns, where attackers first compromise engineering workstations to gain a foothold in operational technology (OT) networks.

Patching and Mitigation Strategies

Schneider Electric has released version 2.4.1 of EcoStruxure Power Build Rapsody with fixes for both vulnerabilities. The company recommends that all users upgrade to this patched version immediately. For organizations that cannot immediately apply the update, Schneider provides several mitigation measures, including restricting access to project files from untrusted sources, implementing proper network segmentation to isolate engineering workstations, and applying the principle of least privilege to user accounts running the software. Security teams should also monitor for suspicious project file activity and consider implementing application allowlisting to prevent unauthorized software execution.

Industrial security experts emphasize that patching ICS software requires careful planning due to potential operational impacts. Organizations should test the updated version in a non-production environment before deploying to engineering workstations used for live systems. Additionally, security teams should verify that updated project files remain compatible with field devices and that the patching process doesn't disrupt ongoing engineering activities. For organizations with air-gapped systems, Schneider provides instructions for obtaining and applying offline updates through secure transfer methods.

The Broader ICS Security Landscape

These vulnerabilities in Schneider Electric software arrive amid increasing attention to industrial control system security. According to recent ICS security reports, memory-corruption vulnerabilities remain prevalent in industrial software, with improper input validation and boundary errors accounting for a significant percentage of disclosed ICS vulnerabilities. The convergence of IT and OT networks has expanded the attack surface for industrial systems, making engineering workstations increasingly attractive targets for sophisticated threat actors.

Security researchers have observed growing interest in ICS software vulnerabilities from both criminal and state-sponsored groups. While there's no evidence that CVE-2025-13844 or CVE-2025-13845 are currently being exploited in the wild, the disclosure follows patterns seen with other ICS vulnerabilities that were later weaponized. The relatively high CVSS scores and the code execution potential make these vulnerabilities particularly attractive to attackers seeking initial access to industrial environments.

Best Practices for Industrial Software Security

Beyond immediate patching, security professionals recommend several best practices for organizations using industrial engineering software like EcoStruxure Power Build Rapsody. These include implementing robust network segmentation to isolate engineering stations from both corporate IT networks and production OT networks, using dedicated engineering workstations rather than multi-purpose computers, and maintaining strict control over project file transfers. Regular security awareness training for engineering personnel is also crucial, as social engineering remains a common initial attack vector.

Organizations should also consider implementing additional security controls such as application control solutions that can prevent unauthorized software execution, endpoint detection and response (EDR) tools tailored for industrial environments, and regular vulnerability assessments of engineering software. Given the critical nature of power management systems configured with Rapsody, organizations may want to conduct threat modeling exercises specific to their deployment scenarios to identify potential attack paths and implement appropriate defensive measures.

The disclosure of CVE-2025-13844 and CVE-2025-13845 reflects broader trends in industrial cybersecurity, including increased researcher focus on ICS software, improved vulnerability disclosure processes between researchers and vendors, and growing recognition of the importance of securing engineering tools. Schneider Electric's coordinated disclosure and prompt patch release demonstrate maturing security practices among industrial automation vendors, though the continued discovery of memory-corruption vulnerabilities suggests that secure coding practices in industrial software development require further attention.

As industrial systems become increasingly connected and software-dependent, the security of engineering tools like EcoStruxure Power Build Rapsody will remain critical to overall operational resilience. Organizations using such software should establish regular patch management processes specifically for industrial applications, maintain inventory of all engineering software and associated vulnerabilities, and develop incident response plans that address potential compromises of engineering workstations. The memory-corruption vulnerabilities in Rapsody serve as a reminder that even specialized industrial software is not immune to common software security flaws that have plagued general-purpose applications for decades.