{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1960", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "state": "PUBLISHED", "assignerShortName": "schneider", "dateReserved": "2025-03-04T16:25:22.129Z", "datePublished": "2025-03-12T15:33:59.173Z", "dateUpdated": "2025-03-13T18:32:42.467Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WebHMI \u2013 Deployed with EcoStruxure Power Automation System", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "WebHMI v4.1.0.0 and prior when deployed with EPAS User Interface 2.6.30.19 and prior"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could cause an\nattacker to execute unauthorized commands when a system\u2019s default password credentials have not been\nchanged on first use. The default username is not displayed correctly in the WebHMI interface. \n\n<br>"}], "value": "CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could cause an\nattacker to execute unauthorized commands when a system\u2019s default password credentials have not been\nchanged on first use. The default username is not displayed correctly in the WebHMI interface."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1188", "description": "CWE-1188 Insecure Default Initialization of Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2025-03-13T18:32:42.467Z"}, "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-070-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-070-03.pdf"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-12T15:56:56.322926Z", "id": "CVE-2025-1960", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T15:57:18.555Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1960", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-12T15:56:56.322926Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T15:57:15.808Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Schneider Electric", "product": "WebHMI \u2013 Deployed with EcoStruxure Power Automation System", "versions": [{"status": "affected", "version": "WebHMI v4.1.0.0 and prior when deployed with EPAS User Interface 2.6.30.19 and prior"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-070-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-070-03.pdf"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could cause an\nattacker to execute unauthorized commands when a system\u2019s default password credentials have not been\nchanged on first use. The default username is not displayed correctly in the WebHMI interface.", "supportingMedia": [{"type": "text/html", "value": "CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could cause an\nattacker to execute unauthorized commands when a system\u2019s default password credentials have not been\nchanged on first use. The default username is not displayed correctly in the WebHMI interface. \n\n<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1188", "description": "CWE-1188 Insecure Default Initialization of Resource"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2025-03-13T18:32:42.467Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1960", "state": "PUBLISHED", "dateUpdated": "2025-03-13T18:32:42.467Z", "dateReserved": "2025-03-04T16:25:22.129Z", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "datePublished": "2025-03-12T15:33:59.173Z", "assignerShortName": "schneider"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could cause an\nattacker to execute unauthorized commands when a system\u2019s default password credentials have not been\nchanged on first use. The default username is not displayed correctly in the WebHMI interface."}, {"lang": "es", "value": "CWE-1188: Existe una vulnerabilidad de inicializaci\u00f3n de un recurso con un valor predeterminado inseguro que podr\u00eda provocar que un atacante ejecute comandos no autorizados cuando las credenciales de contrase\u00f1a predeterminadas de un sistema no se hayan cambiado en el primer uso. El nombre de usuario predeterminado no se muestra correctamente en la interfaz WebHMI."}], "id": "CVE-2025-1960", "lastModified": "2025-03-13T19:15:50.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cybersecurity@se.com", "type": "Secondary"}]}, "published": "2025-03-12T16:15:20.797", "references": [{"source": "cybersecurity@se.com", "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-070-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-070-03.pdf"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1188"}], "source": "cybersecurity@se.com", "type": "Secondary"}]}

{}