Schneider Electric EcoStruxure Building Operation Workstation

Plan PatchCVSS 7.3ICS-CERT ICSA-26-055-02Feb 10, 2026

Schneider ElectricEnergy

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

EcoStruxure Building Operation Workstation and WebStation contain insecure XML deserialization (CWE-611) and code injection (CWE-94) vulnerabilities that allow a local authenticated attacker to read sensitive files or trigger denial of service. Affected versions: Workstation and WebStation 6.x (below 6.0.4.14001 CP10) and 7.0.x (below 7.0.3.2000 CP1) for CVE-2026-1227; 7.0.x (below 7.0.2) for CVE-2026-1226. Exploitation requires local system access and valid application credentials. Successful attacks could expose local files or disrupt the building management platform, impacting climate control, lighting, and operational monitoring.

What this means

What could happen

An attacker with local access and valid credentials could read sensitive files or cause the building management system to stop responding, leading to loss of visibility and control over HVAC, lighting, and other building systems.

Who's at risk

Energy sector organizations using Schneider Electric EcoStruxure Building Operation for centralized management of building systems (HVAC, lighting, security) should prioritize this update. Affected versions include Workstation and WebStation deployments in versions 6.x and 7.0.x that manage critical building infrastructure.

How it could be exploited

An attacker with local access to a workstation or WebStation instance and valid user credentials could exploit insecure XML deserialization or code injection vulnerabilities to read arbitrary files from the system or execute code that disrupts the application, causing denial of service to the building operations platform.

Prerequisites

Local access to the EcoStruxure Building Operation Workstation or WebStation system
Valid user credentials for the application
Access to the affected application interface

Low attack complexityRequires valid credentialsLocal access requiredCould disrupt building operationsAffects management visibility of critical systems

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (16)

16 with fix

ProductAffected VersionsFix Status

EcoStruxure™ Building Operation Workstation All 7.0.x≥ 7.0.x, < 7.0.3.2000 (CP1)7.0.3.2000 (CP1)

EcoStruxure™ Building Operation Workstation All 7.0.x≥ 7.0.x, < 7.0.27.0.3.2000 (CP1)

EcoStruxure™ Building Operation Workstation All 6.x≥ 6.x, < 6.0.4.14001 (CP10)7.0.3.2000 (CP1)

EcoStruxure™ Building Operation WebStation All 7.0.x≥ 7.0.x, < 7.0.3.2000 (CP1)7.0.3.2000 (CP1)

EcoStruxure™ Building Operation WebStation All 6.x≥ 6.x, < 6.0.4.14001 (CP10)7.0.3.2000 (CP1)

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure Building Operation Workstation and WebStation to version 7.0.3.2000 (CP1) for 7.0.x systems, or 6.0.4.14001 (CP10) for 6.x systems

HARDENINGImplement strong password policies and multi-factor authentication for EcoStruxure Building Operation user accounts

Long-term hardening

0/2

HARDENINGReview and implement EcoStruxure Building Operation hardening guidelines from Schneider Electric documentation

HARDENINGRestrict local access to workstations running EcoStruxure Building Operation to authorized personnel only

CVEs (2)

CVE-2026-1227 CVE-2026-1226

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/141fba85-9ba5-4f53-98a0-1d9c727f3a0e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.