CVE-2024-12703

High

Published: 17 January 2025

Published

17 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0101 77.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12703 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Schneider Electric (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 22.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely patching and flaw remediation to eliminate the deserialization vulnerability exploited by malicious project files.

SI-10 Information Input Validation good match

prevent

Mandates validation of untrusted inputs such as project files before deserialization to block exploitation of CWE-502.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code protection mechanisms to scan and block project files containing deserialization payloads leading to RCE.

NVD Description

CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file.

Deeper analysisAI

CVE-2024-12703 is a CWE-502 deserialization of untrusted data vulnerability that could lead to loss of confidentiality, integrity, and potential remote code execution on a workstation. It affects Schneider Electric software, as detailed in their security notice. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity with local access required, low attack complexity, no privileges needed, and user interaction.

The attack scenario involves a non-admin authenticated user opening a malicious project file, which triggers the deserialization flaw. An attacker with local access can craft this file to exploit the vulnerability, achieving high impacts on confidentiality, integrity, and availability, including potential remote code execution on the affected workstation.

Mitigation details are provided in Schneider Electric's security advisory SEVD-2025-014-06, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-06&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-06.pdf. Security practitioners should consult this document for patching instructions and workarounds.