PatchSiren cyber security CVE debrief
CVE-2026-1227 Schneider Electric CVE debrief
CVE-2026-1227 is a high-severity XML external entity (XXE) issue in Schneider Electric EcoStruxure Building Operation (EBO) Workstation and WebStation. According to the advisory, a local user who uploads a maliciously crafted TGML graphics file to the EBO server from Workstation could trigger unauthorized disclosure of local files, unauthorized interaction with the EBO system, or denial-of-service conditions. The vulnerability was published on 2026-02-10 and CISA republished the Schneider advisory on 2026-02-24.
- Vendor
- Schneider Electric
- Product
- EcoStruxure Building Operation Workstation
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-10
- Original CVE updated
- 2026-02-24
- Advisory published
- 2026-02-10
- Advisory updated
- 2026-02-24
Who should care
Organizations running Schneider Electric EcoStruxure Building Operation Workstation or WebStation, especially OT/critical building management environments where local users can upload TGML graphics files.
Technical summary
The advisory describes improper restriction of XML external entity references during TGML graphics file handling. In the affected EBO components, a local user with upload capability can submit a malicious TGML file to the server from Workstation. The listed impact includes local file disclosure, unauthorized interaction with the EBO system, and denial of service. The advisory’s remediation lists fixed versions for both Workstation and WebStation: 7.0.3.2000 (CP1) for the 7.0 branch and 6.0.4.14001 (CP10) for the 6.x branch.
Defensive priority
High. This is a reachable XXE issue in a building-automation platform with confidentiality, integrity, and availability impact. Prioritize patching affected EBO deployments and restrict upload paths until remediation is complete.
Recommended defensive actions
- Apply the vendor fix for the applicable branch: upgrade to EcoStruxure Building Operation Workstation/WebStation 7.0.3.2000 (CP1) or 6.0.4.14001 (CP10) using Schneider Electric patch v7.0 or v6.0 as appropriate.
- Follow the installation instructions in the vendor readme and verify the installed version after patching.
- If patching is delayed, immediately limit system access to authorized personnel only and reduce who can upload TGML graphics files.
- Use multi-factor authentication on EBO version 7.0 or later, as recommended by the vendor.
- Place EBO behind firewalls and segment building-management networks from broader enterprise networks.
- Monitor system activity for unusual uploads, file access, or abnormal server behavior.
- Review and apply Schneider Electric EBO hardening guidance and related CISA industrial control system recommended practices.
Evidence notes
The source advisory text explicitly states: improper restriction of XML external entity reference; possible unauthorized disclosure of local files, unauthorized interaction with the EBO system, and denial-of-service conditions; and that the issue occurs when a local user uploads a maliciously crafted TGML graphics file to the EBO server from Workstation. The remediation entries list fixed versions 7.0.3.2000 (CP1) and 6.0.4.14001 (CP10), plus mitigation guidance. Timeline fields show initial publication on 2026-02-10 and CISA republication on 2026-02-24.
Official resources
-
CVE-2026-1227 CVE record
CVE.org
-
CVE-2026-1227 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory disclosure; no KEV listing was supplied in the source corpus.