CVE-2025-54925 is a Server-Side Request Forgery (SSRF) vulnerability identified in Schneider Electric's EcoStruxure™ Power Monitoring Expert (PME) product, affecting versions 2022, 2023, 2024, and 2024 R2. SSRF vulnerabilities occur when an attacker can manipulate a vulnerable server to make HTTP requests to arbitrary domains or internal systems, potentially bypassing network access controls. In this case, the vulnerability allows an attacker to configure the PME application to access a malicious URL, which can lead to unauthorized access to sensitive data. The vulnerability is classified under CWE-918, indicating that the server does not properly validate or sanitize user-supplied URLs before making requests. The CVSS v3.1 score of 7.5 (high severity) reflects that the vulnerability can be exploited remotely over the network without authentication or user interaction, with a high impact on confidentiality but no impact on integrity or availability. Although no known exploits are currently reported in the wild, the potential for data exposure is significant given the nature of PME as a critical industrial monitoring system. The vulnerability could allow attackers to access internal resources or sensitive configuration data that should not be externally accessible, potentially leading to further compromise or information leakage within industrial control environments.

For European organizations, especially those in critical infrastructure sectors such as energy, manufacturing, and utilities that rely on Schneider Electric's EcoStruxure™ PME for power monitoring and management, this vulnerability poses a serious risk. Unauthorized access to sensitive operational data could lead to exposure of network topology, system configurations, or operational metrics, which could be leveraged for further attacks or industrial espionage. Given the role of PME in monitoring power systems, attackers could gain insights into energy consumption patterns or system statuses, potentially disrupting operational confidentiality. While the vulnerability does not directly impact system integrity or availability, the confidentiality breach alone can have regulatory and operational consequences, including violations of GDPR if personal or sensitive data is involved. The lack of required authentication and user interaction increases the risk of automated exploitation attempts, which could be particularly concerning in environments with internet-facing PME instances or insufficient network segmentation.

To mitigate this SSRF vulnerability, European organizations should immediately assess their deployment of Schneider Electric EcoStruxure™ PME and identify affected versions. Since no patch links are currently provided, organizations should engage directly with Schneider Electric support to obtain official patches or workarounds. In the interim, network-level controls should be enforced to restrict outbound HTTP requests from PME servers to only trusted domains and IP addresses, effectively limiting the ability to reach malicious URLs. Implement strict input validation and URL filtering on the PME application if customization is possible. Additionally, network segmentation should isolate PME systems from the internet and sensitive internal networks to reduce exposure. Monitoring and logging of outbound requests from PME servers should be enhanced to detect anomalous or unauthorized access attempts. Organizations should also review access controls and ensure that PME management interfaces are not publicly accessible. Finally, incorporate this vulnerability into incident response plans and conduct security awareness training for operational technology (OT) teams to recognize potential exploitation signs.