CVE-2025-1070

High

Published: 13 February 2025

Published

13 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0019 40.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could render the device inoperable when a malicious file is downloaded.

Security Summary

CVE-2025-1070 is a CWE-434 unrestricted upload of file with dangerous type vulnerability that could render the affected device inoperable when a malicious file is downloaded. Published on 2025-02-13 with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), it impacts a Schneider Electric device, as detailed in their security notice.

An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required (UI:N). Successful exploitation allows high integrity (I:H) and availability (A:H) impact with no confidentiality impact, potentially rendering the device inoperable by uploading a malicious file that is subsequently downloaded.

The Schneider Electric security and safety notice SEVD-2025-042-01, available at the referenced URL, provides details on mitigation measures for this vulnerability.

Details

CWE(s): CWE-434

References

https://download.schneider-electric.com/files?p_Doc_Ref=sevd-2025-042-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-042-01.pdf
cybersecurity@se.com