CVE-2024-11425

High

Published: 17 January 2025

Published

17 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0034 56.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11425 is a high-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Schneider Electric (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the buffer size calculation flaw in the webserver by applying vendor patches or updates as specified in the Schneider Electric security notice.

SI-10 Information Input Validation good match

prevent

Validates the size and structure of incoming HTTPS packets to prevent the incorrect buffer size calculation triggered by crafted inputs.

SC-5 Denial-of-service Protection good match

prevent

Implements protections against denial-of-service attacks by limiting the effects of crafted HTTPS packets targeting the webserver.

NVD Description

CWE-131: Incorrect Calculation of Buffer Size vulnerability exists that could cause Denial-of-Service of the product when an unauthenticated user is sending a crafted HTTPS packet to the webserver.

Deeper analysisAI

CVE-2024-11425 is a CWE-131: Incorrect Calculation of Buffer Size vulnerability that affects the webserver component of a Schneider Electric product. Published on January 17, 2025, the flaw stems from improper buffer size calculations, which could lead to a denial-of-service condition when triggered.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a crafted HTTPS packet to the webserver, the attacker can cause a denial-of-service, disrupting product availability. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects high severity primarily due to the impact on availability with no confidentiality or integrity effects.

Mitigation details are provided in Schneider Electric Security and Safety Notice SEVD-2025-014-01, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-01.pdf.