Schneider Electric EcoStruxure Automation Expert

Plan PatchCVSS 8.2ICS-CERT ICSA-26-078-03Mar 10, 2026

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Schneider Electric EcoStruxure Automation Expert contains a vulnerability that allows arbitrary command execution on the engineering workstation. The vulnerability is triggered when an attacker-supplied solution or archive file is opened, potentially leading to full system compromise. Versions prior to 25.0.1 are affected.

What this means

What could happen

An attacker who tricks an engineer into opening a malicious solution or archive file could execute arbitrary commands on the engineering workstation, potentially gaining control over the entire automation system and any connected industrial processes.

Who's at risk

This vulnerability affects plant automation engineers and operators at manufacturing facilities and energy providers who use Schneider Electric EcoStruxure Automation Expert for discrete, hybrid, or continuous process control. The risk is highest in environments where multiple engineers share file storage or where solution files are distributed across networks without integrity verification.

How it could be exploited

An attacker crafts a malicious EcoStruxure Automation Expert solution or archive file and delivers it to an engineering workstation operator (via email, file share, or other means). When the engineer opens the file, arbitrary code is executed with the privileges of the user running the application. This could allow the attacker to modify control logic, alter process setpoints, or disable safety systems.

Prerequisites

Local or network-accessible write access to the location where solution/archive files are stored
Valid user credentials on the engineering workstation
User interaction required: engineer must open the malicious file
If files stored outside home directory: insufficient file system access controls

Requires user interaction to exploitEngineering workstation compromise could lead to process control manipulationAffects automation systems in critical infrastructure (energy, manufacturing)Low authentication barrier if files are stored on shared network drives

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

EcoStruxure™ Automation Expert< 25.0.125.0.1

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGConfigure Windows file system access controls to restrict read and write permissions on directories containing solution and archive files to authorized engineering staff only

HARDENINGEnforce a policy requiring engineers to verify the authenticity and integrity of all solution and archive files before opening them (implement file integrity verification or signed file requirements where supported)

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure Automation Expert to version 25.0.1 or later

HARDENINGStore all EcoStruxure solution and archive files within protected user home directories rather than shared or world-accessible locations

CVEs (1)

CVE-2026-2273

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/35b68fca-45e6-4614-84e5-672456f8acec

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.