CVE-2024-12703

High

Published: 17 January 2025

Published

17 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0101 77.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file.

Security Summary

CVE-2024-12703 is a CWE-502 deserialization of untrusted data vulnerability that could lead to loss of confidentiality, integrity, and potential remote code execution on a workstation. It affects Schneider Electric software, as detailed in their security notice. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity with local access required, low attack complexity, no privileges needed, and user interaction.

The attack scenario involves a non-admin authenticated user opening a malicious project file, which triggers the deserialization flaw. An attacker with local access can craft this file to exploit the vulnerability, achieving high impacts on confidentiality, integrity, and availability, including potential remote code execution on the affected workstation.

Mitigation details are provided in Schneider Electric's security advisory SEVD-2025-014-06, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-06&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-06.pdf. Security practitioners should consult this document for patching instructions and workarounds.

Details

CWE(s): CWE-502

References

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-06&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-06.pdf
cybersecurity@se.com