Back to Intelligence

Schneider Electric EcoStruxure PME and EPO: Detecting and Responding to Local Code Execution

SA
Security Arsenal Team
April 12, 2026
5 min read

Schneider Electric has released a critical security notification regarding a vulnerability affecting its EcoStruxure Power Monitoring Expert (PME) and EcoStruxure Power Operation (EPO) platforms. As detailed in CISA Advisory ICSA-26-078-04, this issue facilitates local arbitrary code execution. Given the role of these systems in managing power for critical and energy-intensive facilities, a successful compromise could lead to unauthorized administrative control, operational disruption, or total system takeover.

The Risk Context

EcoStruxure PME and EPO are on-premises software solutions widely deployed in data centers, healthcare facilities, and industrial plants to monitor electrical infrastructure. They are high-value targets for adversaries seeking to disrupt power availability or pivot further into the OT network. While this vulnerability requires local access to initiate, it is particularly dangerous in environments where workstation security is layered or where lateral movement has already occurred from the IT network. An attacker with initial foothold could exploit this to gain administrative privileges over the power management system, effectively owning the facility's electrical operations.

Technical Analysis

Affected Products:

  • EcoStruxure Power Monitoring Expert (PME)
  • EcoStruxure Power Operation (EPO)

Vulnerability Type: Local Arbitrary Code Execution

Mechanism: The vulnerability exists within the underlying application logic or specific service components of the PME/EPO software. It allows an authenticated user (or a process masquerading as one) to execute arbitrary code with the privileges of the system account running the PME/EPO services. In typical deployments, these services run with high privileges (often SYSTEM or Administrator) to interact with low-level hardware drivers and network interfaces.

Impact:

  • Local System Compromise: Attackers can execute commands with SYSTEM-level privileges.
  • Operational Disruption: Ability to stop monitoring services or modify power settings.
  • Persistence: Installation of backdoors or rootkits within the critical control environment.

Detection and Response

To defend against this threat, security teams must monitor for abnormal process execution patterns originating from the PME/EPO software binaries. The primary indicator of compromise (IoC) is the parent application (typically SMServer.exe or web-facing components) spawning unexpected child processes like cmd.exe, powershell.exe, or whoami.exe.

Sigma Rules

YAML
---
title: Suspicious Process Spawn by EcoStruxure PME/EPO
id: 9a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects potential local code execution by monitoring for command shells spawned by Schneider Electric EcoStruxure PME or EPO processes.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-04
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059
  - attack.privilege_escalation
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - '\EcoStruxure\'
      - '\Power Monitoring Expert\'
      - '\Power Operation\'
      - '\SMServer.exe'
      - '\IONNetwork.exe'
  filter_legit:
    Image|contains:
      - '\System32\WerFault.exe'
      - '\System32\conhost.exe'
  selection_shell:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection and not filter_legit and selection_shell
falsepositives:
  - Legitimate administrative debugging (rare)
level: high
---
title: Unusual Outbound Network Connection from PME Backend
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects potential C2 activity or data exfiltration initiated by the PME/EPO backend service connecting to non-standard ports.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-04
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|contains:
      - '\SMServer.exe'
      - '\IONDispatcher.exe'
      - '\EcoStruxure'
    DestinationPort|not:
      - 80
      - 443
      - 8080
      - 27000 # Common FLEXnet license port
  condition: selection
falsepositives:
  - Legitimate communication with historians or third-party modbus gateways on custom ports
level: medium

Microsoft Sentinel / Defender KQL

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious child processes of PME/EPO services
DeviceProcessEvents
| where InitiatingProcessFileName has_any ("SMServer", "IONNetwork", "EcoStruxure") 
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe")
| extend HostName = DeviceName
| project Timestamp, HostName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName, InitiatingProcessAccountName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
// Hunt for suspicious parent-child process relationships
SELECT Pid, Name, CommandLine, Exe, Username, Parent.Pid as ParentPid, Parent.Name as ParentName, Parent.Exe as ParentExe
FROM pslist()
WHERE Parent.Exe =~ '.*EcoStruxure.*'
   AND Name =~ '.*\.(cmd|exe|ps1|bat)$'
   AND Name !~ '.*WerFault.*'
   AND Name !~ '.*conhost.*'

Remediation Script (PowerShell)

PowerShell
# Check for the presence of vulnerable services and prompt for version verification
Write-Host "[+] Checking EcoStruxure PME/EPO Service Status..." -ForegroundColor Cyan

$services = Get-Service | Where-Object { $_.Name -like "*SMServer*" -or $_.Name -like "*ION*" -or $_.DisplayName -like "*EcoStruxure*" }

if ($services) {
    foreach ($svc in $services) {
        $servicePath = (Get-WmiObject -Class Win32_Service -Filter "Name='$($svc.Name)'").PathName
        Write-Host "[!] Found Service: $($svc.Name)" -ForegroundColor Yellow
        Write-Host "    Path: $servicePath"
        
        # Attempt to get file version
        if (Test-Path $servicePath) {
            $fileVersion = (Get-Item $servicePath).VersionInfo.FileVersion
            Write-Host "    File Version: $fileVersion" -ForegroundColor White
            Write-Host "    ACTION: Compare this version against the Schneider Electric Security Advisory. If lower than the fixed version, patch immediately." -ForegroundColor Red
        }
    }
} else {
    Write-Host "[-] No EcoStruxure PME/EPO services found on this host." -ForegroundColor Green
}

Remediation Strategy

  1. Patch Immediately: Apply the security fixes provided by Schneider Electric immediately. Refer to the specific advisory ICSA-26-078-04 to identify the exact build numbers that resolve the vulnerability.
  2. Verify Versioning: Use the script above or manually inspect the properties of SMServer.exe and core EPO executables to confirm the update was successful.
  3. Restrict Local Access: Since this is a local code execution vulnerability, strictly limit interactive logons and RDP access to the servers hosting PME/EPO. Ensure only dedicated SCADA/OT administrators have access.
  4. Network Segmentation: Ensure the PME/EPO servers are isolated from the general IT network. Place them in a dedicated VLAN with strict firewall rules preventing unauthorized inbound access and limiting outbound traffic to known necessary destinations.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcarehipaaransomwareschneider-electricecostruxureics-scadacisa-advisorylocal-code-execution

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action