Multiple Vulnerabilities on EcoStruxure™ Building Operation Workstation and EcoStruxure™ Building Operation Webstation
Plan Patch7.3SEVD-2026-041-02Feb 10, 2026
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
EcoStruxure Building Operation Workstation and WebStation contain multiple vulnerabilities (CWE-611 XML External Entity injection, CWE-94 code injection) that could allow local attackers with user-level privileges to access local files, execute arbitrary code, or cause denial of service. The vulnerabilities affect versions 6.x and 7.0.x prior to patched releases. Affected versions include 6.0.x prior to 6.0.4.14001 (CP10), 7.0.x prior to 7.0.3.2000 (CP1) and 7.0.2 prior to patched versions. Patches are available from Schneider Electric for both version families.
What this means
What could happen
An attacker with local access to a building operation workstation could read sensitive building automation configuration files, execute arbitrary commands on the management station, or disrupt the availability of the building control system, affecting HVAC, lighting, and security systems.
Who's at risk
Building automation operators and facility managers using EcoStruxure Building Operation software on Windows workstations or web-based deployments. This affects energy sector organizations (utilities, commercial buildings, campuses) that rely on Schneider Electric's building management platform for HVAC, lighting, power, and security system coordination.
How it could be exploited
An attacker with user-level access to a Windows workstation running EcoStruxure Building Operation can exploit the XML external entity (XXE) or code injection flaws through the application interface. This could lead to reading arbitrary files from the local system or executing code with the privileges of the application user.
Prerequisites
- Local or network access to the workstation or webstation running EcoStruxure Building Operation
- User-level credentials or interactive access to the management interface
- Ability to craft and submit malicious input (XML, code) through the application
Local access requiredUser credentials neededLow complexity exploitNo authentication bypassAffects building control operationsFile disclosure and code execution possible
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
EcoStruxure™ Building Operation Workstation All 7.0.x≥ 7.0.x, < 7.0.3.2000 (CP1)7.0.3.2000 (CP1)
EcoStruxure™ Building Operation Workstation All 7.0.x≥ 7.0.x, < 7.0.27.0.3.2000 (CP1)
EcoStruxure™ Building Operation Workstation All 6.x≥ 6.x, < 6.0.4.14001 (CP10)7.0.3.2000 (CP1)
EcoStruxure™ Building Operation WebStation All 7.0.x≥ 7.0.x, < 7.0.3.2000 (CP1)7.0.3.2000 (CP1)
EcoStruxure™ Building Operation WebStation All 6.x≥ 6.x, < 6.0.4.14001 (CP10)7.0.3.2000 (CP1)
EcoStruxure™ Building Operation Workstation All 6.0.x≥ 6.0.x, < 6.0.4.7000 (CP5)7.0.3.2000 (CP1)
EcoStruxure™ Building Operation Webstation All 7.0.x≥ 7.0.x, < 7.0.27.0.3.2000 (CP1)
EcoStruxure™ Building Operation Webstation All 6.0.x≥ 6.0.x, < 6.0.4.7000 (CP5)7.0.3.2000 (CP1)
Remediation & Mitigation
0/5
Do now
0/1HARDENINGRestrict local and network access to the workstation/webstation to authorized personnel and systems
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpgrade EcoStruxure Building Operation Workstation to version 7.0.3.2000 (CP1) or WebStation to 7.0.3.2000 (CP1)
HOTFIXIf on version 6.x, upgrade to 6.0.4.14001 (CP10) as an interim fix or plan migration to 7.0.3.2000 (CP1)
HOTFIXFor version 7.0.2 systems, apply the 7.0.2 patch or upgrade to 7.0.3.2000 (CP1)
Long-term hardening
0/1HARDENINGFollow EcoStruxure Building Operation hardening guidelines as documented in the official EBO help documentation
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/78ce66fd-ab1a-4822-b1f2-7d2adc2fe360