Summary
Schneider Electric is aware of a vulnerability in EcoStruxure Building Operation Workstation and EcoStruxure Building Operation WebStation. [EcoStruxure Building Operation (EBO)](https://www.se.com/ww/en/product-range/62111-ecostruxure-building-operation-software/#overview) is an open and scalable software platform providing insight, control and management of multiple building systems and devices in one mobile-enabled convenient view. It delivers valuable data for decision-making to improve energy management and increase efficiency for better building performance and comfort, reduced carbon, and more sustainable building environments. Failure to apply the remediations below may risk exposure of local files or denial of service, which could result in data breaches, and operational disruptions.
The following versions of Schneider Electric EcoStruxure Building Operation Workstation are affected:
- EcoStruxure Building Operation Workstation vers:generic/>=7.0.x|<7.0.3.2000_(CP1), 7.0.3.2000_CP1, vers:generic/>=6.x|<6.0.4.14001_(CP10), 6.0.4.14001_CP10, vers:intdot/>=7.0.x|<7.0.2, 7.0.2, vers:generic/>=6.0.x|<6.0.4.7000_(CP5), 6.0.4.7000_CP5 (CVE-2026-1227, CVE-2026-1227, CVE-2026-1226, CVE-2026-1226)
- EcoStruxure Building Operation WebStation vers:generic/>=7.0.x|<7.0.3.2000_(CP1), 7.0.3.2000_CP1, vers:generic/>=6.x|<6.0.4.14001_(CP10), 6.0.4.14001_CP10, vers:intdot/>=7.0.x|<7.0.2, 7.0.2, vers:generic/>=6.0.x|<6.0.4.7000_(CP5), 6.0.4.7000_CP5 (CVE-2026-1227, CVE-2026-1227, CVE-2026-1226, CVE-2026-1226)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 7.3 | Schneider Electric | Schneider Electric EcoStruxure Building Operation Workstation | Improper Restriction of XML External Entity Reference, Improper Control of Generation of Code (‘Code Injection’) |
Background
- Critical Infrastructure Sectors: Commercial Facilities, Energy, Government Services and Facilities, Healthcare and Public Health, Information Technology, Transportation Systems, Financial Services, Defense Industrial Base, Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: France
Vulnerabilities
CVE-2026-1227
An improper restriction of XML external entity reference vulnerability exists that could result in unauthorized disclosure of local files, unauthorized interaction with the EBO system, or denial-of-service conditions. This occurs when a local user uploads a maliciously crafted TGML graphics file to the EBO server from Workstation.
Affected Products
Schneider Electric EcoStruxure Building Operation Workstation
Schneider Electric
EcoStruxure Building Operation Workstation All 7.0.x versions prior to 7.0.3.2000 (CP1), EcoStruxure Building Operation Workstation All 6.x versions prior to 6.0.4.14001 (CP10), EcoStruxure Building Operation WebStation All 7.0.x versions prior to 7.0.3.2000 (CP1), EcoStruxure Building Operation WebStation All 6.x versions prior to 6.0.4.14001 (CP10)
fixed, known_affected
Remediations
Vendor fix
The following versions of EcoStruxure Building Operation Workstation and EcoStruxure Building Operation WebStation include a fix for CVE-2026-1227: • 7.0.3.2000 (CP1) Step 1: Navigate to this link: https://www.se.com/myschneider/documentsDownloadCenter/detail?id=EBO-Patch-v7-0 Step 2: Download ‘EcoStruxure Building Operation Patch v7.0’ Step 3: Follow the installation instructions provided in the accompanying readme file. Additionally, ensure you are following the [EBO hardening guidelines](https://ecostruxure-building-help.se.com/bms/Topics/show.castle?id=14923&productversion=7.1&locale=en-US).
Vendor fix
The following versions of EcoStruxure Building Operation Workstation and EcoStruxure Building Operation WebStation i
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: