CVE-2023-22518 in Schneider Electric Products: Critical, Actively Exploited Persistent Threat

📅 March 23, 2026 🔴 Exploit Risk: 0.958 📊 Intelligence Score: 100/100 📰 29 sources synthesized

TL;DR — Read this first

A critical vulnerability, identified as CVE-2023-22518, is reported to affect multiple Schneider Electric industrial control system (ICS) products, including the EcoStruxure and SCADAPack lines.
The vulnerability is confirmed as actively exploited in the wild, is listed on CISA's KEV catalog, and has an EPSS score of 0.94375 (94th percentile), indicating a high probability of exploitation.
Immediate investigation and remediation are required for all affected assets. CISA has issued advisories for affected products.

Intelligence Metadata

First Reported Bycisa.gov

Outbreak Velocity6 minutes to 10 unique domains

Consensus29 articles

CVSS Score9.5

EPSS Score0.94375 (94th percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.9575

Race LabelPERSISTENT THREAT

Technical Analysis

Technical details for CVE-2023-22518 as it pertains to Schneider Electric products are not specified in the provided intelligence. However, given the CVSS score of 9.5 and its inclusion in the CISA KEV catalog, the vulnerability is critical and likely allows for unauthenticated remote code execution or a complete system compromise. The affected products are industrial control systems (ICS), including data center, automation, and power monitoring solutions.

Exploitation of such a vulnerability in an ICS environment typically provides an ingress point for attackers to manipulate physical processes, deploy ransomware, or move laterally across operational technology (OT) networks. The high EPSS score confirms that the exploit is likely reliable and widely available to threat actors. The 'PERSISTENT THREAT' label indicates that exploit code and attack methodologies are well-established.

Affected Systems

Vendor: Schneider Electric

Affected Versions:

EcoStruxure Data Center Expert
EcoStruxure Automation Expert
EcoStruxure PME and EPO
SCADAPack and RemoteConnect

Exposure: Not available

Blast Radius: High. Impacts industrial control systems (ICS) and operational technology (OT) environments managing critical infrastructure such as data centers and power systems.

Intelligence Context

The combination of a critical CVSS score (9.5), a high probability of exploitation (EPSS 0.94375), and confirmed active exploitation (CISA KEV) makes CVE-2023-22518 a top-tier priority for defenders. The 'PERSISTENT THREAT' label, based on its long-standing presence on the KEV list (867 days), indicates that this is not a new or emerging threat, but a vulnerability with a well-established exploit chain used by multiple threat actors over time. The rapid initial signal spread ('6 minutes to 10 unique domains') reported by CISA underscores the immediate risk. Organizations using the affected Schneider Electric products must assume they are being actively targeted and prioritize remediation actions above routine patching.

Remediation & Defense

Patch immediately. If patching is not possible, apply vendor-recommended mitigations and isolate affected systems from untrusted networks.

Patch Status: Not available

Patch Version: Refer to vendor advisories for specific product patches.

Workarounds:

Refer to CISA advisory ICSA-26-076-03 and vendor-specific guidance for mitigation strategies.
Isolate affected ICS/OT systems from enterprise networks and the internet.
Enforce multi-factor authentication for all remote access to the OT network.

Detection Hints:

Monitor for anomalous network traffic to and from affected Schneider Electric devices.
Review logs for unexpected commands or configuration changes on EcoStruxure and SCADAPack systems.

Source Timeline

cisa.gov — First reporter
cisa.gov — Technical advisory
nvd.nist.gov — Official CVE record

CVE-2023-22518 Schneider Electric vulnerability kev ics ot persistent-threat