Vulnerability

CERT-In Vulnerability Note CIVN-2026-0143
Multiple Vulnerabilities in Schneider Electric EBO Workstation/WebStation

Original Issue Date:March 17, 2026

Severity Rating: HIGH

Systems Affected

EcoStruxure Building Operation Workstation and WebStation:

CVE-2026-1227: all 7.0.x versions prior to 7.0.3.2000 (CP1) and all 6.x versions prior to 6.0.4.14001 (CP10)
CVE-2026-1226: all 7.0.x versions prior to 7.0.2 and all 6.0.x versions prior to 6.0.4.7000 (CP5)

Overview

XML External Entity (XXE) Injection and Code Injection vulnerabilities affect Schneider Electric's EcoStruxure Building Operation Workstation and WebStation components. These vulnerabilities can be exploited by a local user to gain unauthorised access, perform Denial of Service or malicious code execution.

Target Audience:
Organizations using Schneider Electric's EcoStruxure Building Operation for control and management of building systems and devices.

Risk Assessment:
High risk of data disclosure, alteration and service disruption.

Impact Assessment:
Potential High impact on Confidentiality, Integrity and Availability of the System.

Description

EcoStruxure Building Operation (EBO) from Schneider Electric is an open, scalable platform that enables centralized monitoring, control, and management of multiple building systems through a mobile enabled interface.

1. EBO Server XXE Vulnerability ( CVE-2026-1227 )

This vulnerability exists due to improper restriction of the XML External Entity references by the system. A local attacker with low privileges could exploit this vulnerability by uploading a specially crafted TGML graphics file to the EBO server from Workstation. Successful exploitation may allow the attacker to cause unauthorized disclosure of local files, unauthorized interaction within the EBO system, or denial of service conditions.

2. TGML Graphics File Remote Code Execution Vulnerability ( CVE-2026-1226 )

This vulnerability exists due to improper checks and control on user inputs and subsequent code generation by the system. A local attacker with low privileges could exploit this vulnerability by supplying a malicious crafted design content within a TGML graphics file which can cause execution of untrusted or unintended code within the application. Successful exploitation could be leading to system compromise, data manipulation, or disruption of services on the affected system.

Workaround

Schneider Electric recommends to follow the General Mitigations/ workarounds available at:
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-041-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-041-02.pdf

Solution

Upgrade the EBO Workstation and WebStation components affected by CVE-2026-1227:

From all 7.0.x versions prior to 7.0.3.2000 (CP1) - to the version 7.0.3.2000 (CP1)
From all 6.x versions prior to 6.0.4.14001 (CP10)- to the version 6.0.4.14001 (CP10)

Upgrade the EBO Workstation and WebStation components affected by CVE-2026-1226:

From all 7.0.x versions prior to 7.0.2 - to the version 7.0.2
From all 6.0.x versions prior to 6.0.4.7000 (CP5)- to the version 6.0.4.7000 (CP5)

Vendor Information

Schneider Electric
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications/

References

Schneider Electric
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-041-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-041-02.pdf

CISA
https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-02

CVE Name
CVE-2026-1227
CVE-2026-1226

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India