Description
CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized attacker accesses the source code for editing or compiling it.
Published: 2026-05-14
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a clear‑text storage of sensitive information within the EcoStruxure Machine Expert HVAC software, allowing an attacker to read protected source code that is normally kept confidential. The flaw is identified as CWE‑312 and could result in a breach of confidentiality if an attacker with authorized access to the source code for editing or compiling purposes exploits it.

Affected Systems

Schneider Electric’s EcoStruxure Machine Expert HVAC product is affected. No specific version numbers are listed, but any deployment of this product without the recent update may be vulnerable.

Risk and Exploitability

The CVSS score of 6.8 signals moderate severity; EPSS data is unavailable and the issue is not listed in CISA KEV. The likely attack vector requires an authorized user with privileges to read or modify source code; such a user could read the clear‑text stored data and compromise confidentiality. The risk is mitigated by applying the vendor’s fix and enforcing strict access controls.

Generated by OpenCVE AI on May 14, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest Schneider Electric security update for EcoStruxure Machine Expert HVAC that addresses the clear‑text storage defect.
  • Ensure that any configuration or source code files that contain sensitive data are stored with encryption or appropriate permissions to prevent accidental exposure.
  • Restrict user privileges to the minimum necessary, disabling generic read access to source code repositories and applying the principle of least privilege.
  • Enable audit logging for file access events so that unauthorized attempts to read protected source code can be detected and investigated.

Generated by OpenCVE AI on May 14, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized attacker accesses the source code for editing or compiling it.
Title Clear Text Storage of Sensitive Information on EcoStruxure™ Machine Expert HVAC
Weaknesses CWE-312
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-05-14T18:37:23.728Z

Reserved: 2026-04-15T07:55:30.087Z

Link: CVE-2026-6332

cve-icon Vulnrichment

Updated: 2026-05-14T18:37:19.875Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T18:16:51.067

Modified: 2026-05-14T18:24:08.747

Link: CVE-2026-6332

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T18:45:26Z

Weaknesses