OTPulse

Schneider Electric EcoStruxure Foxboro DCS

MonitorCVSS 6.5ICS-CERT ICSA-26-083-02Mar 10, 2026
Schneider ElectricEnergyManufacturing
Attack path
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionRequired
Summary

A deserialization vulnerability exists in EcoStruxure Foxboro DCS Control Software versions below CS8.1 on Foxboro DCS workstations and servers. An attacker who can supply manipulated external data files—such as configuration taglists, DirectAccess scripts, Galaxy backups, library files, or ASCII files—to a compromised workstation could trigger unsafe deserialization, potentially resulting in loss of confidentiality, integrity, and remote code execution on that system. The Core Services and runtime software components (FCPs, FDCs, FBMs) are not affected. The vulnerability is fixed in version CS8.1, which requires FX-V3 licenses and a workstation/server reboot to apply.

What this means
What could happen
An attacker with local access or the ability to inject manipulated files (configuration lists, backups, scripts) into a Foxboro DCS workstation could trigger unsafe deserialization and execute arbitrary code on that system, potentially altering process controls or compromising the integrity of DCS operations.
Who's at risk
Operators of Schneider Electric EcoStruxure Foxboro DCS systems in the energy and manufacturing sectors should prioritize this issue. The vulnerability affects DCS workstations and servers running software versions below CS8.1; the Core Services and runtime components (FCPs, FDCs, FBMs) are not affected, which limits exposure but engineering and operator workstations remain at risk if they receive untrusted configuration files, backups, or scripts.
How it could be exploited
An attacker must supply malicious serialized data to the DCS workstation through external sources such as configuration files, backup files, scripts, or library files. When the DCS software deserializes this untrusted data without proper validation, the attacker's code executes with the privileges of the compromised workstation, potentially allowing command execution or lateral movement within the DCS environment.
Prerequisites
  • Local or removable media access to a Foxboro DCS workstation or server running software version below CS8.1
  • Ability to introduce malformed files (configuration taglists, backups, scripts, ASCII files) into the DCS system
  • Engineer or administrative user context (users with elevated privileges are primary targets, but standard users may also be vulnerable if they accept untrusted files)
local code execution possiblerequires file-based vector (configuration files, backups, scripts)affects DCS engineering workstations and serverslow EPSS score (0.3%) but medium CVSS (6.5) with high integrity/confidentiality impactdeserialization of untrusted data
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
EcoStruxure™ Foxboro DCS< CS8.1CS8.1
EcoStruxure Foxboro DCS< CS8.1CS8.1
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDBlock USB and removable media devices on all Foxboro DCS workstations and servers
WORKAROUNDRestrict file imports to configuration taglists, backups, scripts, and library files from trusted, validated sources only; implement file integrity checks and verify file names and sizes match expected values
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

EcoStruxure Foxboro DCS
HOTFIXUpdate EcoStruxure Foxboro DCS to version CS8.1 or later on all workstations and servers
All products
HARDENINGLimit the number of users with engineering or administrative rights on DCS computers; audit and document all accounts with elevated privileges
HARDENINGIsolate Foxboro DCS workstations and servers from the general corporate network and the internet using firewalls and network segmentation
Long-term hardening
0/1
HARDENINGUse encrypted communication channels for any data transfers to or from DCS computers outside the site network
View full CISA ICS-CERT advisory
API: /api/v1/advisories/575d8345-ff70-4082-8a0d-792c0787475d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.