Cyber Resilience

CVE-2025-0327

HighLPE

Published: 13 February 2025

Published
13 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 35.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0327 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Schneider Electric (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Services Registry Permissions Weakness (T1574.011); ranked at the 35.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).

Deeper analysis

CVE-2025-0327 is a CWE-269 improper privilege management vulnerability affecting two Windows services on engineering workstations from Schneider Electric. One service manages audit trail data, while the other functions as a server handling client requests. Published on 2025-02-13, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to significant impacts on confidentiality, integrity, and availability.

A local attacker with standard low privileges can exploit the vulnerability by modifying the executable path of the affected services. Exploitation requires restarting the services, after which the attacker can achieve a loss of confidentiality, integrity, and availability on the engineering workstation, potentially allowing arbitrary code execution or full system compromise under the services' context.

Schneider Electric has issued security notice SEVD-2025-042-03, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-042-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-042-03.pdf, which provides details on the vulnerability and recommended mitigations.

EU & UK References

Vulnerability details

CWE-269: Improper Privilege Management vulnerability exists for two services (of which one managing audit trail data and the other acting as server managing client request) that could cause a loss of Confidentiality, Integrity and Availability of engineering workstation when an…

more

attacker with standard privilege modifies the executable path of the windows services. To be exploited, services need to be restarted.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.011 Services Registry Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1543.003 Windows Service Persistence
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.
Why these techniques?

Improper service registry permissions (CWE-269) allow low-priv modification of ImagePath, enabling service hijack for privilege escalation and arbitrary execution under service context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-44250Shared CWE-269
CVE-2024-53706Shared CWE-269
CVE-2025-66374Shared CWE-269
CVE-2026-28995Shared CWE-269
CVE-2025-43199Shared CWE-269
CVE-2025-36640Shared CWE-269
CVE-2025-8899Shared CWE-269
CVE-2024-47770Shared CWE-269
CVE-2025-24254Shared CWE-269
CVE-2025-27639Shared CWE-269

Affected Assets

Schneider Electric
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege to prevent low-privilege attackers from modifying executable paths of elevated Windows services.

prevent

Restricts access to system change configurations, blocking unauthorized modifications to service executable paths in the registry.

prevent

Establishes and maintains secure configuration settings for services, including ACLs on registry keys to block low-privilege writes.

References