Schnieider Electric EcoStruxure Machine Expert HVAC (SEVD-2026-132-01)

MonitorCVSS 5.5ICS-CERT ICSA-26-148-07May 12, 2026

Schneider ElectricEnergy

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

EcoStruxure Machine Expert HVAC is a programming software for Modicon M171-M172 logic controllers. A vulnerability in versions prior to 1.10.0 fails to adequately protect sensitive information in project files. An attacker with local access could reveal protected source code and proprietary control logic, resulting in loss of confidentiality of HVAC automation designs.

What this means

What could happen

An attacker with local access to a development machine could extract sensitive source code and proprietary control logic from EcoStruxure Machine Expert HVAC projects, compromising the confidentiality of your HVAC automation designs.

Who's at risk

HVAC system designers, facilities engineers, and building automation teams using Schneider Electric's EcoStruxure Machine Expert HVAC for programming Modicon M171-M172 logic controllers in commercial and industrial buildings, particularly in the energy sector.

How it could be exploited

An attacker with local user access to a machine running vulnerable versions of EcoStruxure Machine Expert HVAC could read unencrypted or insufficiently protected project files to extract sensitive information including protected source code and control logic.

Prerequisites

Local user access to engineering workstation running EcoStruxure Machine Expert HVAC
Access to project files stored on the affected machine or network shares

No authentication required for local accessLow complexityAffects proprietary control logic confidentiality

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Ecostruxure™ Machine Expert HVAC< 1.10.01.10.0

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure Machine Expert HVAC to version 1.10.0 or later

CVEs (1)

CVE-2026-6332

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4cab975c-c279-48d7-b518-ef26d0aeeb52

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.