Critical Vulnerabilities in Schneider Electric's Plant iT/Brewmaxx Systems: Immediate Action Required
Executive Summary
In March 2026, Schneider Electric disclosed multiple critical vulnerabilities in its Plant iT/Brewmaxx systems, stemming from the integration of Redis, an open-source in-memory database. These vulnerabilities, identified as CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, and CVE-2025-46819, involve issues such as use-after-free errors and integer overflows within Redis's Lua scripting engine. Exploitation of these flaws could allow authenticated users to execute arbitrary code, leading to potential remote code execution and privilege escalation. The affected versions include Plant iT/Brewmaxx 9.60 and above. Schneider Electric has released patches and provided mitigation steps to address these vulnerabilities. (se.com)
The disclosure underscores the critical importance of securing third-party components within industrial control systems. As cyber threats targeting critical infrastructure continue to evolve, organizations must remain vigilant, ensuring timely updates and adherence to cybersecurity best practices to mitigate potential risks.
Why This Matters Now
The exploitation of these vulnerabilities could lead to severe consequences, including unauthorized control over industrial processes and potential operational disruptions. Given the increasing sophistication of cyber threats targeting critical infrastructure, it is imperative for organizations to promptly apply the provided patches and implement recommended security measures to safeguard their systems.
Attack Path Analysis
An attacker exploited vulnerabilities in Schneider Electric's Plant iT/Brewmaxx software, specifically targeting the embedded Redis database's Lua scripting engine. By crafting malicious Lua scripts, the attacker achieved remote code execution, leading to privilege escalation. Subsequently, the attacker moved laterally within the network, established command and control channels, exfiltrated sensitive data, and caused operational disruptions.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited vulnerabilities in the Redis Lua scripting engine within the Plant iT/Brewmaxx software to execute malicious scripts.
Related CVEs
CVE-2025-49844
CVSS 9.9A use-after-free vulnerability in Redis versions 8.2.1 and below allows an authenticated user to execute arbitrary code via specially crafted Lua scripts.
Affected Products:
Schneider Electric Plant iT/Brewmaxx – 9.60 and above
Exploit Status:
no public exploitCVE-2025-46817
CVSS 8.8An integer overflow in Redis versions 8.2.1 and below allows an authenticated user to execute arbitrary code via specially crafted Lua scripts.
Affected Products:
Schneider Electric Plant iT/Brewmaxx – 9.60 and above
Exploit Status:
no public exploitCVE-2025-46818
CVSS 7.3Improper control of code generation in Redis versions 8.2.1 and below allows an authenticated user to execute arbitrary code via specially crafted Lua scripts.
Affected Products:
Schneider Electric Plant iT/Brewmaxx – 9.60 and above
Exploit Status:
no public exploitCVE-2025-46819
CVSS 7.1An out-of-bounds read in Redis versions 8.2.1 and below allows an authenticated user to crash the server or read sensitive data via specially crafted Lua scripts.
Affected Products:
Schneider Electric Plant iT/Brewmaxx – 9.60 and above
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Command and Scripting Interpreter: Lua
Exploitation for Client Execution
Exploitation for Privilege Escalation
Endpoint Denial of Service
Exploitation for Defense Evasion
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Device Security
Control ID: Pillar 3: Devices
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Food Production
Schneider Electric Plant iT/Brewmaxx vulnerabilities expose Redis-based brewing systems to remote code execution, requiring immediate patching and network segmentation.
Food/Beverages
Critical Redis vulnerabilities in brewing control systems enable privilege escalation and code injection, compromising production safety and operational continuity.
Oil/Energy/Solar/Greentech
Critical infrastructure vulnerabilities in industrial control systems create cascading risks for energy sector operations requiring enhanced zero trust segmentation.
Electrical/Electronic Manufacturing
Manufacturing control system vulnerabilities expose production networks to lateral movement and data exfiltration through compromised Redis database components.
Sources
- Schneider Electric Plant iT/Brewmaxxhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-083-03Verified
- Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxxhttps://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-01.pdfVerified
- CVE-2025-49844 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-49844Verified
- CVE-2025-46817 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-46817Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been constrained by limiting unauthorized script execution paths.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited by enforcing strict access controls.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement would likely have been constrained by monitoring and controlling internal traffic.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control channels may have been detected and disrupted through enhanced visibility.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could have been limited by enforcing strict egress policies.
The attacker's ability to cause operational disruptions may have been limited by reducing their access to critical systems.
Impact at a Glance
Affected Business Functions
- Process Control
- Manufacturing Execution
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of proprietary manufacturing processes and operational data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit access to critical systems.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into network traffic and detect anomalous behaviors.
- • Regularly update and patch software components, including Redis, to mitigate known vulnerabilities.
