As a trusted security partner, we are regularly contacted by customers to provide advice or guidance around the design or delivery of a project they are working on. In this instance, a client approached us to assess the security posture of a product called EcoStruxure Building Operation (EBO) Software, which they were implementing as part of a Building Management System (BMS) modernisation project.
We were engaged to conduct an unbiased review of this solution and its implementation, performing a time-limited penetration test as part of the customer’s due diligence activities. Our goal was to identify any deviations from security industry best practices that could increase their risk exposure, and where appropriate, provide actionable recommendations to remediate or mitigate those risks, or enable the implementation of robust compensating controls.
Whenever we are engaged to deliver a piece of work, we always look for ways to add extra value. One common area that often gets overlooked, and where we like to remind our customers, is that a penetration test simulates a real-world attack. Thus, it serves as an excellent opportunity to test the effectiveness of in-place monitoring and alerting procedures, validating they are fit for purpose. Furthermore, it offers an ideal window for creating custom signatures based on observed attack patterns, which can be used to generate alerts for intrusion detection systems, such as Nvision, or be integrated into SIEMs like Sentinel or Splunk.
Given the time-limited nature of this engagement, we needed to work efficiently to maximise our available time. Since the system was hosted internally on a dedicated management network and only accessible to a relatively small team of trusted employees, we determined that unauthenticated access and user-level access posed the largest areas of potential risks, particularly for the front-end components that did most of the heavy lifting.
Overview of EcoStruxure Building Operation Software
EcoStruxure Building Operation Software, developed by Schneider Electric, is an “open and scalable software platform providing insight, control and management of multiple building systems and devices in one mobile-enabled convenient view. It delivers valuable data for decision-making to improve energy management and increase efficiency for better building performance and comfort, reduce carbon, and create more sustainable building environments.”
Findings/Disclosure
After discovering the vulnerabilities detailed below, we collaborated with Schneider Electric on our customer’s behalf to coordinate the disclosure process. This allowed us to alleviate the burden on our customer and simplify the overall process. After providing Schneider Electric with the necessary information to confirm the presence of the vulnerabilities, they developed the necessary updates, and released official fixes in accordance with their responsible disclosure guidelines, thereby protecting customers and satisfying the disclosure policies.
So far, Schneider has addressed and released fixes for two issues:
CVE-2025-8448 – This issue was found to be a vulnerability for users accessing the WebStation, a web-based application that provides access to a limited set of functionality within the EcoStruxure Building Operation Software. This allowed an authenticated attacker, on the BMS network, to cause the server to send a service account hash for the WebStation computer during the login process to an IP address or hostname controlled by the attacker.
CVE-2025-8449 – This issue was discovered for authenticated users of the same WebStation. It was determined that some authenticated users, depending on priviledge level, could send a request to a specific API endpoint with a tailored payload, which would corrupt the service memory and cause the service to crash.
In summary
Through a focused and time-efficient penetration test, we were able to identify vulnerabilities that could have exposed our client, and other users of the software to moderate risk. Our collaborative efforts with the supplier facilitated a smooth disclosure process, enabling the prompt remediation of identified issues while adhering to responsible security practices. Big thanks must go to Schneider Electric in this regard.
This engagement serves as a valuable reminder of the necessity for ongoing diligence in security practices, ensuring that products and systems are thoroughly tested to mitigate threats effectively.
If you wish to take proactive steps toward safeguarding your assets and reputation. Contact Pentest today and see how our penetration testing can provide you with the assurances that your security posture is robust and resilient.
