Schneider Electric Patches Cleartext Storage Flaw in EcoStruxure Machine Expert HVAC
Schneider Electric has released version 1.10.0 of EcoStruxure Machine Expert HVAC to fix a cleartext storage vulnerability that could expose protected source code to authorized attackers.
Schneider Electric has disclosed a medium-severity vulnerability in its EcoStruxure Machine Expert HVAC programming software, tracked as CVE-2026-6332. The flaw, which carries a CVSS v3.1 base score of 5.5, stems from cleartext storage of sensitive information (CWE-312) and could allow an authorized attacker to access protected source code during editing or compilation, leading to a loss of confidentiality.
The affected product, EcoStruxure Machine Expert HVAC, is a programming environment for Modicon M171 and M172 logic controllers widely deployed across critical infrastructure sectors including chemical, critical manufacturing, energy, and water and wastewater systems. With installations worldwide, the vulnerability poses a particular risk to industrial control environments where source code confidentiality is essential for protecting proprietary control logic and operational parameters.
According to the advisory published by CISA (ICSA-26-148-07), the vulnerability affects all versions of EcoStruxure Machine Expert HVAC prior to 1.10.0. An attacker with legitimate access to the system—such as an insider or someone who has already compromised a user account—could exploit the flaw by simply opening or compiling a project file, at which point sensitive information stored in cleartext becomes readable.
Schneider Electric has released version 1.10.0 of the software, which is available for download from the company's support portal. The vendor recommends that all users upgrade immediately to mitigate the risk. No workarounds or alternative mitigations have been provided for versions that cannot be updated.
The vulnerability was reported to CISA by Schneider Electric's own CPCERT team, reflecting a coordinated disclosure process. While the CVSS score is moderate, the context of industrial control systems elevates the practical concern: source code for PLC logic often contains proprietary algorithms, safety parameters, and network topology details that could be leveraged in a broader attack against critical infrastructure.
CISA's advisory also reiterates standard cybersecurity best practices for industrial environments, including isolating control system networks behind firewalls, restricting physical access to controllers, and never leaving devices in "Program" mode when not in active use. Organizations are encouraged to consult Schneider Electric's Recommended Cybersecurity Best Practices document for further guidance.
This disclosure follows a pattern of increasing scrutiny on software supply chain and configuration management tools used in operational technology. As industrial environments become more connected, vulnerabilities in programming and engineering software—even those rated medium severity—can serve as stepping stones for more damaging attacks if left unpatched.