Cyber Resilience

CVE-2025-13845

High

Published: 15 January 2026

Published
15 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 22.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-13845 is a high-severity Use After Free (CWE-416) vulnerability in Schneider-Electric Ecostruxure Power Build - Rapsody. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-13845 is a CWE-416 Use After Free vulnerability affecting Rapsody software. The flaw occurs when an end user imports a malicious project file in SSD format, potentially leading to remote code execution. Published on 2026-01-15 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), it targets the file parsing mechanism in Rapsody.

An attacker can exploit this vulnerability by crafting a malicious SSD project file and tricking a user into importing it into Rapsody on their local system. No privileges are required (PR:N), but user interaction is necessary (UI:R), such as via social engineering to convince the victim to open the file. Successful exploitation grants high-impact confidentiality, integrity, and availability consequences, enabling remote code execution on the affected machine.

Mitigation details are outlined in the Schneider Electric security advisory SEVD-2026-013-04, available at the referenced PDF URL. Security practitioners should consult this document for patch information, workarounds, and affected versions of Rapsody.

EU & UK References

Vulnerability details

CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

UAF in local file parser enables client-side RCE when user opens crafted SSD file (T1204.002); directly matches Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-21159Shared CWE-416
CVE-2026-27283Shared CWE-416
CVE-2026-21351Shared CWE-416
CVE-2026-27220Shared CWE-416
CVE-2025-23402Shared CWE-416
CVE-2024-54499Shared CWE-416
CVE-2025-0899Shared CWE-416
CVE-2026-32197Shared CWE-416
CVE-2025-21397Shared CWE-416
CVE-2025-27174Shared CWE-416

Affected Assets

schneider-electric
ecostruxure power build - rapsody
≤ 2.8.1.0300 · ≤ 2.8.2.0000 · ≤ 2.8.3.0100

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching the Use After Free vulnerability in Rapsody's SSD file parsing directly prevents remote code execution as outlined in the Schneider Electric advisory.

prevent

Memory protection mechanisms such as ASLR, DEP, and stack canaries mitigate exploitation of the CWE-416 Use After Free vulnerability to prevent arbitrary code execution.

prevent

Validating the structure and integrity of imported SSD project files prevents malformed inputs from triggering the Use After Free condition during parsing.

References