Schneider Electric EcoStruxure Foxboro DCS
Monitor6.5ICS-CERT ICSA-26-083-02Mar 24, 2026
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionRequired
Summary
EcoStruxure Foxboro DCS Control Software running on workstations and servers contains a deserialization vulnerability (CWE-502) that could allow remote code execution if an attacker with high-level privileges tricks an engineer or administrator into opening a malicious file (configuration taglist, Galaxy backup, script, or data file). The vulnerability affects workstations and servers but not the Control Core Services or live runtime control processors. Code execution would occur with the privileges of the user who opened the file.
What this means
What could happen
An attacker with high-level privileges and user interaction could deserialize malicious data on a Foxboro DCS workstation or server, potentially executing arbitrary commands and compromising confidentiality and integrity of the control system configuration and operations.
Who's at risk
EcoStruxure Foxboro DCS operators and engineers at energy companies, utilities, and manufacturing facilities that use Foxboro workstations and servers for distributed control system configuration, monitoring, and maintenance. The vulnerability does not affect the Control Core Services or runtime field components (FCPs, FDCs, FBMs) that directly control plant equipment.
How it could be exploited
An attacker must first gain high-level (engineering/administrative) privileges on a DCS workstation or server, then trick a user into opening a malicious file (configuration taglist, Galaxy backup, script, or ASCII file) delivered via USB, email, or external file share. The deserialization vulnerability triggers when the crafted file is processed, allowing code execution on the DCS computer.
Prerequisites
- High-level (engineering or administrative) credentials on the Foxboro DCS workstation or server
- User interaction required: administrator or engineer must open/import a malicious file
- Ability to deliver a crafted file to the DCS computer (USB, network share, email, or external data source)
- Target must be running EcoStruxure Foxboro DCS version prior to CS8.1
Requires high privileges to exploitRequires user interaction to triggerAffects engineering/administrative workstations, not live control hardwareDeserialization attack (CWE-502)Low EPSS score (0.3%) indicates limited real-world exploit activity
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
EcoStruxure Foxboro DCS< CS8.1CS8.1
Remediation & Mitigation
0/6
Do now
0/3WORKAROUNDRestrict import of configuration files, Galaxy backups, scripts, and data files to trusted sources only; validate file names, sizes, and structures before processing
HARDENINGMinimize the number of users with engineering or administrative rights on DCS computers; enforce principle of least privilege for all workstation access
HARDENINGProhibit or strictly control removable media (USB drives, external storage) on DCS computers
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpgrade EcoStruxure Foxboro DCS to version CS8.1 or later
HARDENINGUse encrypted, secure communication channels for any external data transfer to DCS systems
Long-term hardening
0/1HARDENINGIsolate Foxboro DCS computers from business networks and the internet using firewalls and network segmentation
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/575d8345-ff70-4082-8a0d-792c0787475d