CVE-2024-12703
Published: 17 January 2025
Summary
CVE-2024-12703 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Schneider Electric (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-12703 is a CWE-502 deserialization of untrusted data vulnerability that could lead to loss of confidentiality, integrity, and potential remote code execution on a workstation. It affects Schneider Electric software, as detailed in their security notice. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity with local access required, low attack complexity, no privileges needed, and user interaction.
The attack scenario involves a non-admin authenticated user opening a malicious project file, which triggers the deserialization flaw. An attacker with local access can craft this file to exploit the vulnerability, achieving high impacts on confidentiality, integrity, and availability, including potential remote code execution on the affected workstation.
Mitigation details are provided in Schneider Electric's security advisory SEVD-2025-014-06, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-06&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-06.pdf. Security practitioners should consult this document for patching instructions and workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51061
Vulnerability details
CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization flaw in client software triggered by opening a malicious project file directly enables client-side exploitation and user-driven malicious file execution leading to RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely patching and flaw remediation to eliminate the deserialization vulnerability exploited by malicious project files.
Mandates validation of untrusted inputs such as project files before deserialization to block exploitation of CWE-502.
Deploys malicious code protection mechanisms to scan and block project files containing deserialization payloads leading to RCE.