Schneider Electric has disclosed a medium-severity XML External Entity (XXE) injection vulnerability in its EcoStruxure IT Data Center Expert (formerly StruxureWare Data Center Expert), a widely deployed monitoring platform used across the information technology, critical manufacturing, and energy sectors. CISA published the advisory under ICS advisory ICSA-26-181-03.
Vulnerability Details
The flaw, tracked as CVE-2026-8045, is classified under CWE-611 (Improper Restriction of XML External Entity Reference). It carries a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The scoring reflects network reachability, low attack complexity, and a high confidentiality impact, though integrity and availability are unaffected.
An attacker who holds a valid Data Center Expert user account can submit crafted XML payloads to the product’s SOAP service endpoints. If successful, the attack can expose the contents of server-side files, potentially leaking sensitive configuration data or credentials accessible to the application process.
Affected Versions and Remediation
- Affected: EcoStruxure IT Data Center Expert version 9.1.1 and all prior versions
- Fixed: Version 9.1.2, available via the Schneider Electric product download portal
Operators running version 9.1.1 or earlier should prioritize upgrading to 9.1.2. Schneider Electric has confirmed the fix is included in that release.
Context and Credit
The vulnerability was reported to Schneider Electric by Vincent Michel of Formind Company. Schneider Electric’s CPCERT separately reported the issue to CISA. The product is deployed worldwide, making prompt patching important for any organization using it in operational or data center environments.
Mitigations Pending Patch
For environments where immediate patching is not feasible, standard ICS hardening practices apply:
- Isolate the EcoStruxure IT server from general business networks using firewalls
- Restrict access to SOAP service endpoints to authorized management hosts only
- Ensure the platform is not directly reachable from the internet
- Use VPNs for any required remote access, keeping VPN software current
Because exploitation requires an authenticated session, strong access controls and user account hygiene reduce the practical attack surface while a patch deployment is planned.
