CVE-2024-11425

High

Published: 17 January 2025

Published

17 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0034 56.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

CWE-131: Incorrect Calculation of Buffer Size vulnerability exists that could cause Denial-of-Service of the product when an unauthenticated user is sending a crafted HTTPS packet to the webserver.

Security Summary

CVE-2024-11425 is a CWE-131: Incorrect Calculation of Buffer Size vulnerability that affects the webserver component of a Schneider Electric product. Published on January 17, 2025, the flaw stems from improper buffer size calculations, which could lead to a denial-of-service condition when triggered.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a crafted HTTPS packet to the webserver, the attacker can cause a denial-of-service, disrupting product availability. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects high severity primarily due to the impact on availability with no confidentiality or integrity effects.

Mitigation details are provided in Schneider Electric Security and Safety Notice SEVD-2025-014-01, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-01.pdf.

Details

CWE(s): CWE-131

References

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-01.pdf
cybersecurity@se.com