Schneider Electric EcoStruxure IT Data Center Expert
Summary
CISA has released an alert regarding a vulnerability (CVE-2026-8045) in Schneider Electric EcoStruxure IT Data Center Expert software, specifically an Improper Restriction of XML External Entity Reference (XXE). This flaw could allow an authenticated attacker to submit crafted XML payloads, leading to information disclosure of server-side file contents. Schneider Electric has released version 9.1.2, which includes a fix for this vulnerability.
IFF Assessment
This alert provides critical information about a vulnerability in widely used critical infrastructure software and offers immediate remediation steps, empowering defenders to secure their systems.
Severity
The article explicitly states a CVSS v3 score of 6.5. This score reflects an Improper Restriction of XML External Entity Reference (CWE-611) that requires a Data Center Expert user account for an attacker to submit crafted XML payloads, leading to information disclosure of server-side file contents.
Defender Context
Defenders managing critical infrastructure, particularly in Information Technology, Critical Manufacturing, and Energy sectors, must prioritize updating Schneider Electric EcoStruxure IT Data Center Expert to version 9.1.2 or later. This vulnerability highlights the ongoing risk of XXE flaws in enterprise software, especially when handling XML input. Organizations should regularly review their authentication and input validation mechanisms for SOAP services and other data processing endpoints to mitigate similar risks.