---
title: "Critical Flaws in Schneider Electric Plant iT/Brewmaxx Risk Remote Code Execution"
short_title: "Schneider Electric Plant iT/Brewmaxx critical vulnerabilities"
description: "Schneider Electric patches four critical vulnerabilities in Plant iT/Brewmaxx (CVE-2025-49844, CVE-2025-46817) enabling remote code execution. Apply mitigations now."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [schneider-electric, redis, remote-code-execution, cve-2025, industrial-security]
score: 0.92
cve_ids: [CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819]
---
TL;DR
Schneider Electric has disclosed four critical vulnerabilities in its Plant iT/Brewmaxx industrial software, including use-after-free, integer overflow, and code injection flaws (CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819). Successful exploitation could lead to remote code execution (RCE) and privilege escalation, posing severe risks to energy, manufacturing, and commercial facilities worldwide. Immediate patching and mitigation steps are strongly recommended.
---
Main Content
Introduction
Schneider Electric, a global leader in industrial automation and energy management, has issued an urgent security advisory addressing four critical vulnerabilities in its Plant iT/Brewmaxx software. These flaws, stemming from the use of an outdated Redis in-memory database, could allow authenticated attackers to execute arbitrary code, escalate privileges, or cause denial-of-service (DoS) conditions. With deployment across critical infrastructure sectors—including energy, manufacturing, and commercial facilities—these vulnerabilities demand immediate attention from organizations relying on this technology.
---
Key Points
- Critical Vulnerabilities: Four flaws (CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819) affect Plant iT/Brewmaxx version 9.60 and above, enabling remote code execution (RCE), privilege escalation, and DoS attacks.
- High CVSS Scores: The most severe vulnerability (CVE-2025-49844) has a CVSS score of 9.9 (Critical), reflecting its potential for widespread impact.
- Affected Sectors: Energy, critical manufacturing, and commercial facilities worldwide.
- Mitigation Available: Schneider Electric has released Patch ProLeiT-2025-001 and recommends disabling vulnerable Redis commands, applying secure configurations, and restarting systems.
- No Exploitation Reported: As of now, no public exploitation of these vulnerabilities has been reported.
---
Technical Details
The vulnerabilities reside in Redis, an open-source in-memory database used by Plant iT/Brewmaxx. The flaws are exploitable via specially crafted Lua scripts and affect Redis versions 8.2.1 and below. Here’s a breakdown of each vulnerability:
#### CVE-2025-49844 (CVSS 9.9 - Critical)
- Type: Use After Free
- Description: An authenticated user can manipulate the Redis garbage collector using a malicious Lua script, triggering a use-after-free condition and potentially achieving remote code execution (RCE).
- Impact: High confidentiality, integrity, and availability risks.
#### CVE-2025-46817 (CVSS 7.0 - High)
- Type: Integer Overflow or Wraparound
- Description: A crafted Lua script can cause an integer overflow, leading to unintended behavior and potential RCE.
- Impact: High confidentiality and integrity risks, with moderate availability impact.
#### CVE-2025-46818 (CVSS 6.0 - Medium)
- Type: Improper Control of Generation of Code (Code Injection)
- Description: Attackers can manipulate Lua objects to execute arbitrary code in the context of another user.
- Impact: High confidentiality and integrity risks, with no direct availability impact.
#### CVE-2025-46819 (CVSS 6.3 - Medium)
- Type: Integer Overflow or Wraparound
- Description: A malicious Lua script can read out-of-bound data or crash the Redis server, causing a denial-of-service (DoS).
- Impact: High confidentiality and availability risks, with no integrity impact.
---
Impact Assessment
The vulnerabilities pose severe risks to organizations using Plant iT/Brewmaxx, particularly in industrial control systems (ICS). Successful exploitation could result in:
- Remote Code Execution (RCE): Attackers could gain full control over affected systems, leading to data theft, sabotage, or operational disruption.
- Privilege Escalation: Malicious actors could elevate their privileges, compromising entire networks.
- Denial-of-Service (DoS): Crashing Redis servers could disrupt critical industrial processes, causing downtime and financial losses.
- Supply Chain Risks: As Schneider Electric’s software is widely used in energy and manufacturing, these flaws could have cascading effects on global supply chains.
---
Mitigation Steps
Schneider Electric has released Patch ProLeiT-2025-001 to address these vulnerabilities. Organizations are urged to take the following steps immediately:
1. Apply the Patch:
- Install ProLeiT-2025-001 via [ProLeiT Support](https://www.proleit.com/support/).
2. Disable Vulnerable Redis Commands:
- After patching, disable the `eval` commands in Redis on:
- Application servers
- VisuHub systems
- Engineering workstations
- Workstations with emergency mode functionality.
3. Secure Redis Configurations:
- Force the use of secure Redis configuration templates as documented in the patch manual.
4. Restart Systems:
- Restart all patched servers and workstations to ensure changes take effect.
5. Follow Cybersecurity Best Practices:
- Isolate ICS Networks: Locate control and safety system networks behind firewalls and isolate them from business networks.
- Physical Security: Restrict access to industrial control systems, components, and networks.
- Secure Remote Access: Use VPNs for remote access and ensure they are updated to the latest version.
- Scan Mobile Devices: Sanitize USB drives, CDs, and other mobile data exchange methods before use.
- Minimize Exposure: Ensure control system devices are not accessible from the internet.
For more details, refer to Schneider Electric’s [Recommended Cybersecurity Best Practices](https://www.se.com/us/en/download/document/7EN52-0390/).
---
Affected Systems
- Product: Schneider Electric Plant iT/Brewmaxx
- Version: 9.60 and above
- Vendor: Schneider Electric
- Critical Infrastructure Sectors: Energy, Critical Manufacturing, Commercial Facilities
- Deployment: Worldwide
---
Conclusion
The discovery of these critical vulnerabilities in Schneider Electric’s Plant iT/Brewmaxx underscores the growing risks facing industrial control systems. With the potential for remote code execution, privilege escalation, and DoS attacks, organizations must act swiftly to apply patches and implement recommended mitigations. Failure to address these flaws could result in catastrophic operational disruptions, data breaches, and safety incidents.
As industrial environments become increasingly interconnected, the importance of proactive cybersecurity measures cannot be overstated. Organizations should prioritize network segmentation, access controls, and regular patch management to safeguard critical infrastructure from evolving threats.
---
References
[^1]: CISA. "[ICSA-26-083-03 Schneider Electric Plant iT/Brewmaxx](https://www.cisa.gov/news-events/ics-advisories/icsa-26-083-03)". Retrieved 2025-01-24.
[^2]: Schneider Electric. "[SEVD-2026-013-01 Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx](https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdf)". Retrieved 2025-01-24.
[^3]: MITRE. "[CWE-416: Use After Free](https://cwe.mitre.org/data/definitions/416.html)". Retrieved 2025-01-24.
[^4]: MITRE. "[CWE-190: Integer Overflow or Wraparound](https://cwe.mitre.org/data/definitions/190.html)". Retrieved 2025-01-24.
[^5]: MITRE. "[CWE-94: Improper Control of Generation of Code ('Code Injection')](https://cwe.mitre.org/data/definitions/94.html)". Retrieved 2025-01-24.