Description
CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when an admin authenticated user opens a malicious project file.
Published: 2026-03-10
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The flaw is an insecure deserialization vulnerability that allows a malicious project file to be opened by an authenticated administrator. When the file is processed, untrusted data is deserialized, which can lead to loss of confidentiality, loss of integrity and, in the most severe cases, remote code execution. The description explicitly states that the vulnerability could result in remote code execution on the workstation when an admin opens a malicious file.

Affected Systems

Schneider Electric EcoStruxure Foxboro DCS workstations are affected; the vulnerability applies to the desktop component that imports and opens project files.

Risk and Exploitability

The CVSS score of 7 indicates moderate to high severity. The EPSS score of less than 1% suggests that exploitation attempts are currently rare, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a local or network-based user who has authenticated as an administrator and chooses to open a crafted project file; this inference is drawn from the description which states the vulnerability can be triggered when an admin opens a malicious file. Successful exploitation could allow an attacker to achieve full remote code execution on the affected workstation.

Generated by OpenCVE AI on April 17, 2026 at 11:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch that addresses insecure deserialization of project files.
  • Restrict the import or open project file functionality to trusted users only and enforce strict input validation on project files.
  • Disable or remove the ability to open external project files from untrusted sources on the workstation.

Generated by OpenCVE AI on April 17, 2026 at 11:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Title Deserialization Vulnerability in EcoStruxure Foxboro DCS Allows Remote Code Execution

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Schneider-electric
Schneider-electric foxboro Dcs
Vendors & Products Schneider-electric
Schneider-electric foxboro Dcs

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when an admin authenticated user opens a malicious project file.
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Schneider-electric Foxboro Dcs
cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-03-10T17:55:36.889Z

Reserved: 2026-01-21T13:15:37.247Z

Link: CVE-2026-1286

cve-icon Vulnrichment

Updated: 2026-03-10T17:54:21.842Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T18:18:04.917

Modified: 2026-03-11T13:53:47.157

Link: CVE-2026-1286

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses