OTPulse
FeedAboutContact

Improper Control of Generation of Code ('Code Injection') vulnerability on EcoStruxure™ Automation Expert

Plan Patch8.2SEVD-2026-069-04Mar 10, 2026
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

EcoStruxure™ Automation Expert contains an improper code injection vulnerability (CWE-94) that allows execution of arbitrary commands on the engineering workstation. The vulnerability affects versions prior to 25.0.1.

What this means
What could happen
An attacker with local access to an engineering workstation could inject code and run arbitrary commands, potentially compromising the entire automation system configuration and control logic used to manage industrial processes.
Who's at risk
Energy sector utilities and manufacturing facilities running Schneider Electric's EcoStruxure™ Automation Expert for plant automation and discrete, hybrid, or continuous process control should apply this patch. This affects engineering teams who develop and maintain PLC/automation logic.
How it could be exploited
An attacker with local access to an engineering workstation running EcoStruxure™ Automation Expert could exploit the code injection flaw through user interaction (e.g., opening a malicious project file or accepting a prompt) to execute arbitrary commands with the privileges of the engineering user, potentially gaining full control of system configurations.
Prerequisites
  • Local access to an engineering workstation
  • EcoStruxure™ Automation Expert software running version prior to 25.0.1
  • User interaction required (e.g., opening file, accepting prompt with low complexity)
  • Engineering user privileges or higher on the workstation
requires local workstation accessuser interaction requiredaffects engineering/control system configurationlow complexity exploitationhigh CVSS score (8.2)
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
EcoStruxure™ Automation Expert< 25.0.125.0.1
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EcoStruxure™ Automation Expert to version 25.0.1 or later
View full Schneider Electric advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/88666ad3-18e7-418d-b311-549175e3ac9a