Schneider Electric EcoStruxure Automation Expert

Plan Patch8.2ICS-CERT ICSA-26-078-03Mar 19, 2026

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

A vulnerability in EcoStruxure™ Automation Expert (versions before 25.0.1) allows arbitrary code execution through improper handling of solution and archive files. The vulnerability is triggered when a user opens a malicious or modified file without proper authentication or integrity verification. An attacker could exploit this to run arbitrary commands on the engineering workstation running the software.

What this means

What could happen

An attacker could execute arbitrary commands on an engineering workstation running EcoStruxure Automation Expert, potentially compromising the automation system and enabling modification of industrial process logic or system shutdown. This could disrupt operations at power plants, manufacturing facilities, or other critical infrastructure relying on this software for digital control systems.

Who's at risk

Energy sector utilities and manufacturing plants using Schneider Electric EcoStruxure™ Automation Expert for digital control of discrete, hybrid, or continuous industrial processes. This includes power generation facilities, industrial manufacturing plants, and any organization relying on this software for plant automation and system configuration on engineering workstations.

How it could be exploited

An attacker crafts a malicious solution or archive file and tricks an engineering workstation user into opening it through social engineering or by placing it in a shared directory. When the user opens the file without verifying its authenticity, the malicious code executes with the privileges of the engineering workstation user, allowing full system compromise.

Prerequisites

User interaction required (engineer must open a malicious file)
Local user credentials (attacker needs to place file where an engineer will find it)
Engineering workstation running affected EcoStruxure Automation Expert version must be accessible
File storage location must lack restrictive Windows access controls or be in a shared directory

Low complexity exploitationHigh impact on engineering workstation and potentially downstream systemsNo authentication required once user interaction occursDefault behavior may store files in shared locations without protection

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

EcoStruxure™ Automation Expert< 25.0.125.0.1

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDConfigure Windows file-system access controls to restrict access to solution and archive file storage locations; store files only in user home directories or protected locations

HARDENINGRequire engineers to verify authenticity of solution and archive files before opening them; implement a procedure to check file integrity and confirm source

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure™ Automation Expert to version 25.0.1 or later

Long-term hardening

0/1

HARDENINGIsolate engineering workstations from business networks and limit network access to only necessary systems

CVEs (1)

CVE-2026-2273

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/35b68fca-45e6-4614-84e5-672456f8acec