CVE-2025-54924 is a high-severity Server-Side Request Forgery (SSRF) vulnerability identified in Schneider Electric's EcoStruxure™ Power Monitoring Expert (PME) product, affecting versions 2022, 2023, 2024, and 2024 R2. SSRF vulnerabilities occur when an attacker can manipulate a server to send unauthorized requests to internal or external systems, potentially bypassing network access controls. In this case, the vulnerability allows an attacker to send a specially crafted document to a vulnerable endpoint within PME, causing the server to make unintended requests. This can lead to unauthorized access to sensitive data that would otherwise be inaccessible to the attacker. The CVSS 3.1 base score of 7.5 reflects a high severity, with the vector indicating that the attack can be performed remotely over the network without authentication or user interaction (AV:N/AC:L/PR:N/UI:N), and impacts confidentiality (C:H) but not integrity or availability. The vulnerability is classified under CWE-918, which specifically relates to SSRF issues. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that organizations using PME should prioritize monitoring and mitigation. Given PME's role in power monitoring and management, exploitation could expose sensitive operational data or internal network resources, potentially aiding further attacks or espionage.

For European organizations, the impact of this SSRF vulnerability in Schneider Electric's PME is significant due to the critical nature of power monitoring infrastructure in industrial, commercial, and utility sectors. Unauthorized access to sensitive data could reveal operational metrics, network topology, or control system details, which may be leveraged for industrial espionage or sabotage. Given the reliance on PME in energy management and critical infrastructure, exploitation could undermine the confidentiality of operational data, potentially affecting energy providers, manufacturing plants, and large enterprises. This could lead to regulatory compliance issues under GDPR if personal or sensitive data is exposed, reputational damage, and increased risk of subsequent attacks targeting critical infrastructure. The lack of required authentication and user interaction lowers the barrier for attackers, increasing the risk profile for European entities using PME.

Organizations should immediately conduct an inventory to identify all instances of Schneider Electric EcoStruxure PME versions 2022 through 2024 R2 in their environment. Until a patch is released, network-level mitigations should be applied, including restricting PME server outbound HTTP/HTTPS requests to only trusted destinations via firewall rules or proxy configurations to prevent SSRF exploitation. Implement strict input validation and sanitization on any user-supplied data that PME processes, if customization is possible. Monitor network traffic for unusual or unauthorized requests originating from PME servers. Employ network segmentation to isolate PME systems from sensitive internal networks to limit potential lateral movement. Regularly review Schneider Electric advisories for patch releases and apply updates promptly. Additionally, consider deploying Web Application Firewalls (WAFs) with SSRF detection capabilities to block malicious payloads targeting PME endpoints. Finally, conduct security awareness training for administrators managing PME to recognize signs of exploitation.