Schneider Electric EcoStruxure IT Data Center Expert Vulnerability Exposes Critical Information
A critical vulnerability identified as **CVE-2026-8045** has been discovered in **Schneider Electric**'s **EcoStruxure IT Data Center Expert** software. This flaw could lead to sensitive information disclosure through improper restriction of XML External Entity References, affecting versions up to and including 9.1.1 and 9.1.2. IT security professionals and privacy-conscious users are urged to apply the provided remediation immediately.
# Schneider Electric EcoStruxure IT Data Center Expert Vulnerability Exposes Critical Information
**Schneider Electric** has issued an alert regarding a significant vulnerability in its **EcoStruxure IT Data Center Expert** product, a widely used scalable monitoring software for critical device information in data centers. The vulnerability, tracked as **CVE-2026-8045**, could allow for unauthorized information disclosure.
## Understanding the Vulnerability: CVE-2026-8045
**CVE-2026-8045** is classified as a **CWE-611: Improper Restriction of XML External Entity Reference** vulnerability. This flaw can be exploited by an attacker with an existing **Data Center Expert** user account. By submitting specially crafted XML payloads to SOAP service endpoints, an attacker could potentially access server-side file contents, leading to the disclosure of sensitive information.
The vulnerability has a CVSS v3 score of 6.5, indicating a moderate to high severity. It affects **EcoStruxure IT Data Center Expert** versions 9.1.1 and prior, and specifically mentions version 9.1.2 as also being affected.
## Affected Products and Critical Infrastructure Impact
**Schneider Electric EcoStruxure IT Data Center Expert** (formerly known as **StruxureWare Data Center Expert**) is widely deployed across critical infrastructure sectors, including Information Technology, Critical Manufacturing, and Energy, on a global scale. The compromise of such systems could have far-reaching consequences, making prompt remediation essential.
## Acknowledgments and Reporting
The vulnerability was reported to **CISA** by **Schneider Electric CPCERT**. The initial discovery and reporting to **Schneider Electric** were made by Vincent Michel (@darkpills) of **Formind Company**, highlighting the importance of collaborative security research.
## General Security Recommendations and Mitigation
**Schneider Electric** strongly recommends applying the provided remediation to mitigate the risk of information disclosure. Beyond specific patches, organizations are advised to adhere to industry cybersecurity best practices:
* **Network Segmentation:** Isolate control and safety system networks and remote devices behind firewalls, separating them from business networks.
* **Physical Security:** Implement physical controls to prevent unauthorized access to industrial control and safety systems, components, and networks.
* **Secure Configurations:** Ensure controllers are placed in locked cabinets and never left in 'Program' mode.
* **Secure Data Exchange:** Scan all mobile data exchange methods (e.g., CDs, USB drives) before use on isolated networks.
* **Minimize Exposure:** Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the Internet.
* **Secure Remote Access:** When remote access is necessary, utilize secure methods such as Virtual Private Networks (**VPNs**), ensuring **VPNs** are updated to the latest versions and understanding that their security is contingent on the connected devices.
For more detailed guidance, **Schneider Electric** refers users to their [Recommended Cybersecurity Best Practices](https://www.se.com/us/en/download/document/7EN52-0390/) document and their cybersecurity support portal.
## Further Information and Support
Organizations seeking more details or assistance in protecting their installations should contact their local **Schneider Electric** representative or **Schneider Electric Industrial Cybersecurity Services**. These channels are fully aware of the situation and equipped to provide support throughout the remediation process.