CVE-2025-1960
Published: 12 March 2025
Summary
CVE-2025-1960 is a critical-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Schneider Electric (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 43.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires immediate change from temporary or default passwords to permanent ones upon first use, preventing exploitation of unchanged default credentials.
Mandates management of accounts to disable unnecessary or default accounts and enforce secure provisioning, mitigating risks from persistent default credentials.
Enforces secure configuration settings that prohibit insecure defaults, including password requirements and UI display of credentials, addressing the initialization flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly stems from insecure default credentials (CWE-1188) that have not been changed, enabling remote unauthenticated access and command execution on a public-facing WebHMI interface.
NVD Description
CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could cause an attacker to execute unauthorized commands when a system’s default password credentials have not been changed on first use. The default username is not displayed correctly…
more
in the WebHMI interface.
Deeper analysisAI
CVE-2025-1960 is a CWE-1188 vulnerability involving the initialization of a resource with an insecure default, affecting systems where default password credentials have not been changed upon first use. This flaw enables an attacker to execute unauthorized commands and includes an issue where the default username is not displayed correctly in the WebHMI interface. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
Any remote attacker with network access can exploit this vulnerability without authentication or user interaction, provided the system's default credentials remain unchanged. Successful exploitation allows the attacker to execute unauthorized commands on the affected system, potentially leading to full compromise including data exfiltration, modification, or disruption.
For mitigation details, security practitioners should refer to the Schneider Electric security advisory SEVD-2025-070-03 available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-070-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-070-03.pdf.
Details
- CWE(s)