CISA Warns of XML Injection Flaw in Schneider Electric EcoStruxure IT Data Center Expert
CISA has issued an advisory for CVE-2026-8045, a medium-severity XML external entity injection vulnerability in Schneider Electric's EcoStruxure IT Data Center Expert software.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has alerted users to a medium-severity vulnerability affecting Schneider Electric's EcoStruxure IT Data Center Expert software. Identified as CVE-2026-8045, the flaw is an XML external entity (XXE) injection vulnerability that could allow an authenticated attacker to disclose sensitive server-side file contents.
The vulnerability specifically impacts versions of EcoStruxure IT Data Center Expert prior to 9.1.2. This software is a critical component for monitoring and managing data center infrastructure, collecting and organizing device information to provide a comprehensive view of equipment. Successful exploitation of this XXE flaw could lead to the disclosure of confidential files residing on the server.
According to the advisory, an attacker with a Data Center Expert user account could submit crafted XML payloads to the SOAP service endpoints. This malicious input exploits the software's handling of external entities within XML documents, a common weakness that can lead to unauthorized data access if not properly mitigated. The Common Vulnerability Scoring System (CVSS) base score for this vulnerability is 6.5, classifying it as medium severity.
Schneider Electric has acknowledged the vulnerability and has released a patched version, EcoStruxure IT Data Center Expert version 9.1.2, which addresses this issue. Users are strongly advised to update to this latest version to remediate the risk of information disclosure. The company provides download links for the updated software on its product support pages.
This vulnerability was reported to CISA by Schneider Electric's CPCERT and independently by Vincent Michel of Formind Company. CISA's advisory also includes general cybersecurity best practices for critical infrastructure sectors, emphasizing network segmentation, physical security, and secure remote access methods like VPNs.
Organizations utilizing Schneider Electric's EcoStruxure IT Data Center Expert software are urged to prioritize the update to version 9.1.2. Failure to do so could expose their systems to data leakage, potentially impacting operational continuity and data confidentiality. The widespread deployment of Schneider Electric products across critical infrastructure sectors, including Information Technology, Critical Manufacturing, and Energy, underscores the importance of timely patching.
Schneider Electric has provided detailed information and resources on its cybersecurity support portal, offering guidance for customers to protect their installations. The company's commitment to security includes regular updates and advisories to address emerging threats and vulnerabilities within its product portfolio.