CVE-2024-12476

High

Published: 17 January 2025

Published

17 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0023 45.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure, impacts workstation integrity and potential remote code execution on the compromised computer, when specific crafted XML file is imported in the Web Designer configuration tool.

Security Summary

CVE-2024-12476 is an Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Schneider Electric's Web Designer configuration tool. The issue arises when a specifically crafted XML file is imported, potentially causing information disclosure and impacting workstation integrity.

Exploitation requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), such as tricking a user into importing a malicious XML file via social engineering. A successful attack can achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), including potential remote code execution on the compromised workstation. The CVSS v3.1 base score is 7.8.

Mitigation details are provided in Schneider Electric's Security Notification SEVD-2025-014-04, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-04.pdf.

Details

CWE(s): CWE-611

References

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-04.pdf
cybersecurity@se.com