CVE-2024-9005 HIGH

CVE-2024-9005

Vendor Schneider Electric

Product EcoStruxure Power Monitoring Expert (PME)

Weakness CWE-502 · Unsafe deserialization

Published October 8, 2024

Last update March 25, 2025

View on NVD All CVEs

CVSS base score

7.3/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

CWE-502: Deserialization of Untrusted Data vulnerability exists that could allow code to be remotely executed on the server when unsafely deserialized data is posted to the web server.

Key dates

02Disclosure timeline

October 8, 2024 CVE published

March 25, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-9005

Related vulnerabilities

04Related CVE

CVE-2026-8751 h2oai h2o-3 JAR Model.java importBinaryModel deserialization CVE-2025-26885 WordPress Assistant Plugin <= 1.5.1 - PHP Object Injection vulnerability CVE-2026-39890 PraisonAI Affected by Remote Code Execution via YAML Deserialization in Agent Definition Loading CVE-2024-43242 WordPress Indeed Ultimate Membership Pro plugin <= 12.7 - Unauthenticated PHP Object Injection vulnerability CVE-2025-15222 Dromara Sa-Token SaSerializerTemplateForJdkUseBase64.java ObjectInputStream.readObject deserialization

Identifiers

CVE CVE-2024-9005

CWE CWE-502

CVSS 7.3 / HIGH

Affected versions

Vendor Schneider Electric

Product EcoStruxure Power Monitoring Expert (PME)

Affected Version 2022 and prior