CVE-2025-2002 is a medium-severity vulnerability classified under CWE-532, which involves the insertion of sensitive information into log files. This vulnerability affects Schneider Electric's EcoStruxure Panel Server versions 2.0 and prior. The core issue arises when the device is placed into debug mode by an administrative user, and debug files are subsequently exported. In this scenario, FTP server credentials used by the device are logged in plaintext within these debug files. Since these logs can be exported, an attacker or unauthorized party with access to the debug files could obtain these credentials, potentially leading to unauthorized access to the FTP server. The vulnerability requires local access with high privileges to enable debug mode and export logs, and no user interaction is needed beyond that. The CVSS 4.0 vector indicates that the attack vector is local (AV:L), with low attack complexity (AC:L), requiring privileges (PR:H), and partial authentication (AT:P). There is no impact on confidentiality, integrity, or availability directly from the vulnerability itself (VC:N, VI:N, VA:N), but the exposure of FTP credentials could lead to further compromise. No known exploits are currently reported in the wild, and no patches are listed yet. The vulnerability is significant because it exposes sensitive credentials through debug logs, which are often overlooked and may be stored or transmitted insecurely. This can facilitate lateral movement or data exfiltration if attackers gain access to these logs.

For European organizations using Schneider Electric's EcoStruxure Panel Server, this vulnerability poses a risk of credential leakage that could lead to unauthorized access to FTP servers integral to operational technology (OT) environments. Given that EcoStruxure is widely deployed in industrial automation, energy management, and critical infrastructure sectors across Europe, exposure of FTP credentials could enable attackers to manipulate or exfiltrate sensitive operational data, disrupt industrial processes, or pivot to other network segments. The impact is particularly relevant for sectors such as manufacturing, energy utilities, and building management systems, where Schneider Electric products are prevalent. Although the vulnerability requires administrative access to enable debug mode, insider threats or attackers who have already compromised administrative credentials could exploit this to escalate their access. The lack of direct impact on confidentiality, integrity, or availability in the CVSS score reflects that the vulnerability itself is a stepping stone rather than a direct exploit. However, the potential for credential disclosure can lead to significant operational risks and compliance issues under European data protection regulations if sensitive operational data is exposed.

European organizations should implement the following specific mitigations: 1) Restrict administrative access to EcoStruxure Panel Servers strictly to trusted personnel and enforce strong authentication mechanisms to prevent unauthorized enabling of debug mode. 2) Avoid enabling debug mode in production environments unless absolutely necessary, and ensure debug logs are handled securely, with access controls and encryption during storage and transmission. 3) Regularly audit and monitor log exports and administrative activities on these devices to detect any unusual or unauthorized debug mode activations or log retrievals. 4) Implement network segmentation to isolate EcoStruxure devices and their associated FTP servers from broader enterprise networks, limiting the impact of any credential disclosure. 5) Once available, promptly apply vendor patches or updates addressing this vulnerability. 6) Consider rotating FTP credentials regularly and using more secure authentication methods if supported, such as key-based authentication or VPN tunnels, to reduce the risk posed by credential leakage. 7) Educate administrators on the risks of debug mode and secure handling of debug files to prevent inadvertent exposure.