Description
CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exist that could cause execution of untrusted commands on the engineering workstation which could result in a limited compromise of the workstation and a potential loss of Confidentiality, Integrity and Availability of the subsequent system when an authenticated user opens a malicious project file.
Published: 2026-03-10
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Untrusted code execution on an engineering workstation via malicious project files
Action: Patch Required
AI Analysis

Impact

The flaw allows an authenticated user to induce the workstation to execute arbitrary code when opening a crafted project file, potentially compromising confidentiality, integrity, and availability of the system.

Affected Systems

Schneider Electric EcoStruxure Automation Expert engineering workstations are affected. No specific version range is disclosed in the advisory, so all deployed installations of the product should be examined. If the software version is unknown it remains significantly vulnerable.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, while the EPSS score is below 1%, suggesting a low overall exploitation likelihood at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack requires an authenticated user who has permission to open project files, implying that exploitation is local and constrained to users with access to the workstation. If an attacker compromises an authenticated account or succeeds in delivering a malicious project file, they can execute arbitrary code, which may be used for subsequent actions against the system.

Generated by OpenCVE AI on April 17, 2026 at 11:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any Schneider Electric update or patch that fixes the code injection flaw (consult the vendor’s release notes).
  • Implement file‑signing or verification controls so that only trusted project files can be opened on the engineering workstation.
  • Configure the workstation to restrict or disable the execution of scripts or binaries that can be embedded in project files, or run the software within a sandboxed environment.

Generated by OpenCVE AI on April 17, 2026 at 11:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Title Code Injection via Malicious Project Files in Schneider Electric EcoStruxure Automation Expert

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Schneider-electric
Schneider-electric ecostruxure Automation Expert
Vendors & Products Schneider-electric
Schneider-electric ecostruxure Automation Expert

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exist that could cause execution of untrusted commands on the engineering workstation which could result in a limited compromise of the workstation and a potential loss of Confidentiality, Integrity and Availability of the subsequent system when an authenticated user opens a malicious project file.
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:L/SC:H/SI:H/SA:H'}

Subscriptions

Schneider-electric Ecostruxure Automation Expert
cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-03-10T17:42:47.751Z

Reserved: 2026-02-10T09:45:08.807Z

Link: CVE-2026-2273

cve-icon Vulnrichment

Updated: 2026-03-10T17:42:20.956Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T18:18:48.007

Modified: 2026-03-11T13:53:20.707

Link: CVE-2026-2273

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses