Schneider Electric Security Notification PowerLogic PM5300 Series 12 November 2024 Overview Schneider Electric is aware of a vulnerability in its PowerLogic PM5300 series with ethernet functionality. Affected Products and Versions Note - PM5310 and PM5330 are not impacted because they use serial communication infrastructure and do not have an Ethernet stack. Vulnerability Details CVE ID: CVE-2024-9409 CVSS v3.1 Base Score: 7.5 CVSS v4.0 Base Score: 8.7 CWE-400: An Uncontrolled Resource Consumption vulnerability exists that could cause the device to become unresponsive resulting in communication loss when a large amount of IGMP packets is present in the network. Severity Calculation: The severity of vulnerabilities was calculated using the CVSS Base metrics for 4.0 (CVSS v4.0). CVSS v3.1 will be still evaluated until the adoption of CVSS v4.0 by the industry. The severity was calculated without incorporating the Temporal and Environmental metrics. Schneider Electric recommends that customers score the CVSS Environmental metrics, which are specific to end-user organizations, and consider factors such as the presence of mitigations in that environment. Environmental metrics may refine the relative severity posed by the vulnerabilities described in this document within a customer's environment.