CVE-2025-1058
Published: 13 February 2025
Summary
CVE-2025-1058 is a high-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Schneider Electric (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Firmware (T1542.001); ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
CVE-2025-1058 is a CWE-494: Download of Code Without Integrity Check vulnerability in a Schneider Electric device. The issue arises when firmware is downloaded without proper integrity verification, potentially allowing malicious firmware to be installed. Published on 2025-02-13, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), reflecting high severity primarily from impacts to integrity and availability.
An attacker requires only low privileges (PR:L) to exploit this vulnerability over the network (AV:N) with low attack complexity and no user interaction. Successful exploitation enables the download of malicious firmware, which can render the affected device inoperable, achieving high integrity (I:H) and availability (A:H) impacts with no confidentiality effects.
Schneider Electric has published Security and Safety Notice SEVD-2025-042-01, available at https://download.schneider-electric.com/files?p_Doc_Ref=sevd-2025-042-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-042-01.pdf, which provides further details on mitigation and remediation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1981
Vulnerability details
CWE-494: Download of Code Without Integrity Check vulnerability exists that could render the device inoperable when malicious firmware is downloaded.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables installation of malicious firmware due to missing integrity checks, directly facilitating System Firmware compromise (T1542.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-7 mandates integrity verification tools and techniques for firmware to detect unauthorized modifications, directly addressing the lack of integrity checks during malicious firmware download.
CM-14 requires digitally signed system components like firmware prior to installation or execution, preventing installation of unsigned or tampered firmware.
SR-11 enforces verification of component authenticity prior to connection or operation, mitigating risks from unverified firmware downloads in devices.