Schneider Electric EcoStruxure Rapsody Software Vulnerabilities Threaten Critical Infrastructure in 2026
Executive Summary
In January 2026, Schneider Electric disclosed multiple critical software vulnerabilities (CVE-2025-13844, CVE-2025-13845) in its EcoStruxure Power Build Rapsody platform, widely used in the energy, manufacturing, and commercial facilities sectors. The flaws—specifically double free and use after free issues—stem from improper memory management when importing malicious project files, enabling local attackers to potentially execute arbitrary code. Impacted product versions are deployed worldwide. Schneider Electric and independent security researchers reported these vulnerabilities, urging customers to upgrade immediately or apply mitigations to prevent unauthorized system access and memory corruption.
This incident highlights the continued threat posed by software supply chain attacks and memory corruption vulnerabilities in critical infrastructure environments. As attackers shift towards exploiting insecure file imports and legacy software flaws, organizations must prioritize secure software lifecycle management and timely patching to counter emerging risks.
Why This Matters Now
This breach underscores the urgent need for asset owners and operators in critical sectors to address vulnerabilities in specialized industrial software—especially as targeted code execution flaws like these are increasingly leveraged in ransomware and cyber-espionage campaigns. With global deployment and the reliance on legacy IT/OT systems, unpatched software opens avenues for both targeted and opportunistic attacks.
Attack Path Analysis
An attacker delivers a malicious project file (SSD) to a user of Schneider Electric EcoStruxure Power Build Rapsody, exploiting either a double free or use-after-free vulnerability upon file import for initial compromise. The attacker may then gain code execution under user context, potentially escalating privileges if the application has excessive permissions. Using this foothold, the attacker attempts lateral movement to compromise additional systems within the environment. The attacker establishes command and control through outbound connections or remote access tools, exfiltrates sensitive project or configuration data, and could disrupt operations through data manipulation or software corruption, impacting critical infrastructure processes.
Kill Chain Progression
Initial Compromise
Description
A malicious SSD project file is delivered and imported into EcoStruxure Power Build Rapsody, exploiting a double free (CVE-2025-13844) or use-after-free (CVE-2025-13845) vulnerability for initial code execution.
Related CVEs
CVE-2025-13844
CVSS 5.3A double free vulnerability in Schneider Electric EcoStruxure Power Build Rapsody allows local attackers to execute arbitrary code by importing a malicious project file.
Affected Products:
Schneider Electric EcoStruxure Power Build Rapsody – FR 2.8.1 and prior, INT 2.8.6 and prior, ES 2.8.5 and prior, BEL(NL) 2.8.3 and prior, BEL(FR) 2.8.8 and prior
Exploit Status:
no public exploitCVE-2025-13845
CVSS 7.8A use-after-free vulnerability in Schneider Electric EcoStruxure Power Build Rapsody allows local attackers to execute arbitrary code by importing a malicious project file.
Affected Products:
Schneider Electric EcoStruxure Power Build Rapsody – FR 2.8.1.0300 and prior, ES 2.8.5.0200 and prior, PT 2.8.7.0100 and prior, BEL(FR) 2.8.8.0100 and prior, BEL(EN) 2.8.3.0100 and prior, INT(EN) 2.8.4.0300 and prior, NL 2.8.2.0000 and prior
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Techniques mapped based on observed and plausible attack paths for vulnerability exploitation, privilege escalation, and code execution; for enrichment and filtering. Full STIX/TAXII enrichment to be added later.
User Execution: Malicious File
Exploit Public-Facing Application
Process Injection
Exploitation for Privilege Escalation
Event Triggered Execution: Exploitation for Client Execution
Endpoint Denial of Service
Impair Defenses: Disable or Modify Tools
Command and Scripting Interpreter
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 Rev. 5 – Flaw Remediation
Control ID: SI-2
PCI DSS 4.0 – Security of Application and System Components
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Asset Vulnerability Management
Control ID: Asset Management
NIS2 Directive – Cybersecurity Risk-Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Critical infrastructure vulnerability in Schneider Electric's power design software threatens energy sector switchboard systems with potential arbitrary code execution via malicious project files.
Electrical/Electronic Manufacturing
Manufacturing operations using EcoStruxure Power Build Rapsody for electrical design face heap corruption risks from double-free and use-after-free vulnerabilities in project imports.
Construction
Construction projects relying on Schneider's switchboard design software vulnerable to memory corruption attacks through malicious SSD files, compromising electrical infrastructure planning and safety.
Utilities
Utility infrastructure design processes exposed to high-severity CVE-2025-13845 allowing remote code execution when importing untrusted project files into power building applications.
Sources
- Schneider Electric EcoStruxure Power Build Rapsodyhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-015-10Verified
- Schneider Electric Security Notification SEVD-2026-013-04https://www.se.com/ww/en/download/document/SEVD-2026-013-04/Verified
- Schneider Electric EcoStruxure Power Build Rapsody Vulnerabilitieshttps://nvd.nist.gov/vuln/detail/CVE-2025-13844Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF-aligned controls such as zero trust segmentation, workload isolation, encrypted traffic enforcement, egress policy, and real-time threat detection could have significantly constrained attacker movement after initial compromise—limiting privilege escalation, lateral movement, command and control, and exfiltration opportunities.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious file behavior would be detected and alerted.
Control: Zero Trust Segmentation
Mitigation: Attempts to access privileged resources are constrained by least privilege policies.
Control: East-West Traffic Security
Mitigation: Lateral movement attempts are detected, restricted, or blocked between segmented workloads.
Control: Cloud Firewall (ACF)
Mitigation: Outbound C2 traffic is identified and blocked based on signatures and policy.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts are detected, logged, and blocked.
Automated response and containment reduce risk of operational impact.
Impact at a Glance
Affected Business Functions
- Electrical Panel Design
- Project Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive project design files and intellectual property.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately apply available vendor patches for CVE-2025-13844 and CVE-2025-13845 on all affected Rapsody installations.
- • Enforce zero trust segmentation and east-west controls to prevent post-compromise lateral movement between sensitive workloads.
- • Deploy real-time threat detection and anomaly response to monitor for suspicious file usage and memory-level attacks.
- • Apply strict egress filtering and cloud firewall rules to block unapproved outbound traffic and exfiltration paths.
- • Ensure centralized multicloud visibility and automate incident response to rapidly contain and remediate future exploits.
