CVE-2025-13844

CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:schneider-electric:ecostruxure_power_build_-_rapsody:::::fr:::*
	cpe:2.3:a:schneider-electric:ecostruxure_power_build_-_rapsody:::::bel_nl:::*
	cpe:2.3:a:schneider-electric:ecostruxure_power_build_-_rapsody:::::es:::*
	cpe:2.3:a:schneider-electric:ecostruxure_power_build_-_rapsody:::::int:::*
	cpe:2.3:a:schneider-electric:ecostruxure_power_build_-_rapsody:::::bel_fr:::*

History

No history.

Information

Published : 2026-01-15 19:16

Updated : 2026-03-03 16:44

NVD link : CVE-2025-13844

Mitre link : CVE-2025-13844

CVE.ORG link : CVE-2025-13844

JSON object : View

Products Affected

schneider-electric

ecostruxure_power_build_-_rapsody

CWE

CWE-415

Double Free

{"id": "CVE-2025-13844", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cybersecurity@se.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.4, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-15T19:16:02.747", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf", "tags": ["Vendor Advisory"], "source": "cybersecurity@se.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cybersecurity@se.com", "description": [{"lang": "en", "value": "CWE-415"}]}], "descriptions": [{"lang": "en", "value": "CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody."}, {"lang": "es", "value": "CWE-415: Existe una vulnerabilidad de doble liberaci\u00f3n (Double Free) que podr\u00eda causar corrupci\u00f3n de memoria en el heap cuando el usuario final importa un archivo de proyecto malicioso (archivo SSD) compartido por el atacante en Rapsody."}], "lastModified": "2026-03-03T16:44:40.057", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_build_-_rapsody:*:*:*:*:fr:*:*:*", "vulnerable": true, "matchCriteriaId": "B0F9F08A-DA7C-404C-B846-0439C1BB68C0", "versionEndIncluding": "2.8.1"}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_build_-_rapsody:*:*:*:*:bel_nl:*:*:*", "vulnerable": true, "matchCriteriaId": "35A14DC6-6CAE-4ABA-812E-D60A5A556284", "versionEndIncluding": "2.8.3"}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_build_-_rapsody:*:*:*:*:es:*:*:*", "vulnerable": true, "matchCriteriaId": "776BC34F-121F-4FE8-BE20-0A46433225AA", "versionEndIncluding": "2.8.5"}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_build_-_rapsody:*:*:*:*:int:*:*:*", "vulnerable": true, "matchCriteriaId": "20D6437D-D54C-407D-A301-0F11AF975235", "versionEndIncluding": "2.8.6"}, {"criteria": "cpe:2.3:a:schneider-electric:ecostruxure_power_build_-_rapsody:*:*:*:*:bel_fr:*:*:*", "vulnerable": true, "matchCriteriaId": "2C0E74D9-8163-45EA-89C3-F103CFFDF427", "versionEndIncluding": "2.8.8"}], "operator": "OR"}]}], "sourceIdentifier": "cybersecurity@se.com"}