Schneider Electric Plant iT/Brewmaxx — Multiple Redis Lua Engine Vulnerabilities
Schneider Electric has disclosed four vulnerabilities in the embedded Redis in-memory database component of its Plant iT/Brewmaxx industrial automation platform. The vulnerabilities, tracked as CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, and CVE-2025-46819, affect Redis versions 8.2.1 and below as bundled with Plant iT/Brewmaxx version 9.60 and above. Schneider Electric published security notification SEVD-2026-013-01 in January 2026 addressing these flaws. CISA issued a corresponding ICS advisory (ICSA-26-083-03) on March 24, 2026.
The vulnerabilities collectively reside in Redis's Lua scripting subsystem. An authenticated attacker able to submit specially crafted Lua scripts to an affected Redis instance can exploit use-after-free conditions, integer overflows, code injection weaknesses, and out-of-bounds memory access to escalate privileges, execute arbitrary code within the host's security context, read sensitive in-memory data, or crash the Redis server and cause a denial of service. Redis is embedded in multiple Plant iT/Brewmaxx components including the application server, the VisuHub visualization service, engineering workstations, and workstations configured for emergency mode operation. NIST has not yet published CVSS v4.0 scores for these CVEs.
Successful exploitation requires authenticated access to a Redis instance. In typical industrial deployments Redis is not directly internet-facing; however, the application server and workstation components hosting Redis are accessible within the plant network, widening the attack surface to any entity holding a valid session or able to move laterally within the OT environment. The operational criticality of Plant iT/Brewmaxx in brewery and food-and-beverage continuous production processes means that a successful remote code execution could disrupt batch operations or facilitate deeper lateral movement within the operational technology network.
Threats and Vulnerabilities
CVE-2025-49844, with a CVSS v3.1 score of 9.9 (Critical), is the most severe vulnerability in this set. An authenticated attacker can submit a specially crafted Lua script to the Redis instance to manipulate the garbage collector and trigger a use-after-free condition, classified under CWE-416. Successful exploitation can allow the attacker to achieve remote code execution on the Redis host. The flaw affects Redis versions 8.2.1 and below and is remediated in Redis 8.2.2.
CVE-2025-46817, with a CVSS v3.1 score of 8.8 (High), allows an authenticated attacker to use a malicious Lua script to trigger an integer overflow in the Redis scripting engine, classified under CWE-190 (Integer Overflow or Wraparound). Like CVE-2025-49844, this overflow condition can be escalated to remote code execution on the affected host. The vulnerability affects Redis 8.2.1 and below and is resolved in Redis 8.2.2.
CVE-2025-46818, with a CVSS v3.1 score of 7.3 (High), is a code injection vulnerability classified under CWE-94. An authenticated attacker can use a crafted Lua script to manipulate Lua object internals and execute arbitrary code within the security context of a different user sharing the same Redis instance. This flaw is particularly relevant in multi-operator Plant iT/Brewmaxx deployments where multiple engineer or operator roles interact with the same application server simultaneously.
CVE-2025-46819, with a CVSS v3.1 score of 7.1 (High), encompasses out-of-bounds read and integer overflow conditions classified under CWE-125 and CWE-190. An authenticated attacker can submit a crafted Lua script to read out-of-bounds memory content, potentially exposing sensitive in-process data such as credentials, session tokens, or live process values, or to crash the Redis service entirely and produce a denial of service that disrupts process visualization and control functions.
Client Impact
Industrial facilities operating Schneider Electric Plant iT/Brewmaxx version 9.60 and above face a credible risk of unauthorized code execution on automation servers and engineering workstations and disruption to production operations. An attacker exploiting CVE-2025-49844 or CVE-2025-46817 could gain full code execution on a Redis host, enabling manipulation of process data, alteration of batch production records, or use of the compromised system as a pivot point for lateral movement deeper into the operational technology network. Exploitation of the denial-of-service vector in CVE-2025-46819 could interrupt the Redis-backed data layer underpinning Plant iT/Brewmaxx process control, halting visualization and supervisory functions and potentially triggering unplanned production shutdowns in continuous-process environments including brewery, dairy, and beverage facilities.
From a compliance perspective, organizations subject to IEC 62443, NERC CIP, or sector-specific cybersecurity frameworks carry obligations to assess and remediate third-party component vulnerabilities embedded within licensed ICS products. The presence of an unpatched Redis component within a commercially deployed automation platform highlights the importance of software bill of materials awareness and component-level vulnerability tracking. Failure to apply the available patch and compensating configuration mitigations within a reasonable timeframe may constitute a gap in vulnerability management programs subject to review during compliance audits and certification assessments.
Mitigations
Schneider Electric and CISA recommend the following actions to address these vulnerabilities:
1. Apply patch ProLeiT-2025-001 immediately by contacting ProLeiT Support. This patch updates the embedded Redis component to a version that resolves all four CVEs.
2. After applying ProLeiT-2025-001, disable the Redis EVAL and EVALSHA commands on the application server, VisuHub service, all engineering workstations, and all workstations configured for emergency mode using Redis ACL settings to restrict Lua script execution.
3. Minimize network exposure for all Plant iT/Brewmaxx components and ensure the application server, VisuHub, and workstations are not directly reachable from the internet or untrusted external networks.
4. Isolate Plant iT/Brewmaxx network segments behind firewalls and demilitarized zones, separated from enterprise IT networks, in accordance with industrial network segmentation best practices.
5. Where remote access to the Plant iT/Brewmaxx environment is required, enforce the use of current, fully patched VPN solutions with multi-factor authentication rather than direct network connectivity.
6. Monitor Redis service logs for anomalous EVAL or EVALSHA command invocations, unexpected Lua script submissions, or repeated Redis process crashes as behavioral indicators of potential exploitation.
Schneider Electric and CISA have acknowledged no publicly known exploitation of these vulnerabilities in the wild at the time of publication.
1898 & Co. Response
1898 & Co. continuously monitors ICS vulnerability disclosures, CISA ICS-CERT advisories, and vendor security notifications to provide timely and actionable guidance to clients operating industrial automation platforms. Our OT cybersecurity practice tracks third-party software components embedded within commercial ICS products and evaluates their potential impact on operational environments, including middleware such as Redis, OPC-UA servers, and database engines commonly integrated into process automation products.
Our team has direct experience supporting clients in the food and beverage, energy, and critical manufacturing sectors who operate Schneider Electric Plant iT/Brewmaxx and comparable process automation platforms. We provide patch feasibility assessments, compensating control design, and network segmentation consulting to help clients address vulnerabilities within their change management processes and operational availability constraints.
1898 & Co. offers vulnerability assessment and OT security advisory services tailored to industrial environments, including network architecture reviews, asset inventory validation, and third-party component analysis aligned with IEC 62443 security levels. Clients with questions about the applicability of ICSA-26-083-03 to their specific Plant iT/Brewmaxx deployment are encouraged to contact our OT security team.
Sources
1. CISA ICS Advisory ICSA-26-083-03 — Schneider Electric Plant iT/Brewmaxx
2. Schneider Electric Security Notifications Portal (SEVD-2026-013-01)