Schneider Electric EcoStruxure Power Build Rapsody (Update A)
Plan PatchCVSS 7.8ICS-CERT ICSA-26-015-10Jan 13, 2026
Schneider ElectricEnergy
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Schneider Electric EcoStruxure Power Build Rapsody software contains heap-based and stack-based buffer overflow vulnerabilities (CWE-415, CWE-416) in the single-line diagram processing functionality. The software is used to design electrical switchboards and generate bills of material. Exploitation of these memory corruption issues could allow local code execution on engineering workstations. Multiple language variants (FR, INT, ES, PT, BEL(NL), BEL(FR), NL) across multiple versions are affected.
What this means
What could happen
An attacker with local access to a workstation running EcoStruxure Power Build Rapsody could exploit memory corruption vulnerabilities to run arbitrary code, potentially allowing them to modify electrical switchboard designs or compromise the engineering environment used to configure critical power distribution systems.
Who's at risk
This affects organizations operating electrical power distribution and switchboard systems that use EcoStruxure Power Build Rapsody for design and bill-of-materials generation. This includes utilities, industrial facilities, data centers, and any enterprise managing complex electrical distribution networks. Engineering and operations teams who use this design software are directly affected.
How it could be exploited
An attacker with local access to a machine running the vulnerable software could trigger a heap-based or stack-based buffer overflow by opening a malicious single-line diagram file or providing crafted input. This could allow arbitrary code execution in the context of the application user.
Prerequisites
- Local access to a workstation running EcoStruxure Power Build Rapsody
- Ability to open files or provide input to the application
- No special user privileges or credentials required
local code execution possibleno authentication required for file operationslow complexity attackmemory corruption vulnerabilitiesaffects engineering design environment
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (12)
12 with fix
ProductAffected VersionsFix Status
EcoStruxure Power Build Rapsody software FR 2.8.1 and prior≤ 2.8.1 FR2.8.1.0401_FR
EcoStruxure Power Build Rapsody software INT 2.8.6 and prior≤ 2.8.6 INT2.8.1.0401_FR
EcoStruxure Power Build Rapsody software ES 2.8.5 and prior≤ 2.8.5 ES2.8.1.0401_FR
EcoStruxure Power Build Rapsody software BEL(NL) 2.8.3 and prior≤ 2.8.3 BEL(NL)2.8.1.0401_FR
EcoStruxure Power Build Rapsody software BEL(FR) 2.8.8 and prior≤ 2.8.8 BEL(FR)2.8.1.0401_FR
EcoStruxure Power Build Rapsody software FR 2.8.1.0300 and prior≤ 2.8.1.0300 FR2.8.1.0401_FR
EcoStruxure Power Build Rapsody software ES 2.8.5.0200 and prior≤ 2.8.5.0200 ES2.8.1.0401_FR
EcoStruxure Power Build Rapsody software PT 2.8.7.0100 and prior≤ 2.8.7.0100 PT2.8.1.0401_FR
Remediation & Mitigation
0/7
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
HOTFIXUpdate EcoStruxure Power Build Rapsody FR to version 2.8.1.0401 or later
HOTFIXUpdate EcoStruxure Power Build Rapsody INT to version 2.8.6.200 or later
HOTFIXUpdate EcoStruxure Power Build Rapsody ES to version 2.8.5.0301 or later
HOTFIXUpdate EcoStruxure Power Build Rapsody PT to version 2.8.7.0101 or later
HOTFIXUpdate EcoStruxure Power Build Rapsody BEL(NL) and BEL(FR) to version 2.8.3.0201 / 2.8.8.0201 respectively by contacting Schneider Electric Customer Care Center
HOTFIXRestart the EcoStruxure Power Build Rapsody service after applying any updates
Long-term hardening
0/1HARDENINGRestrict local access to workstations running EcoStruxure Power Build Rapsody to authorized engineering personnel only
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/fe021a99-9b1e-4057-9dfe-e427915fa32aGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.