Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (schneider) · only source for this CVE.
CVSS VectorVendor: schneider
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure of server-side file contents when an attacker with a Data Center Expert user account submits crafted XML payloads to SOAP service endpoints.
AnalysisAI
Server-side file disclosure in Schneider Electric EcoStruxure IT Data Center Expert v9.1.1 and prior allows authenticated users to read arbitrary files on the underlying host by submitting crafted XML payloads to SOAP service endpoints. The flaw stems from improper restriction of XML External Entity references (CWE-611) in the SOAP API. No public exploit identified at time of analysis, but CISA SSVC marks the issue as automatable with partial technical impact.
Technical ContextAI
EcoStruxure IT Data Center Expert (DCE) is Schneider Electric's vendor-neutral monitoring platform for data center physical infrastructure (UPS, PDU, cooling, environmental sensors), historically known as StruxureWare Data Center Expert. The product exposes SOAP web services for programmatic management and integrations. The root cause class - CWE-611 Improper Restriction of XML External Entity Reference - occurs when an XML parser resolves external entity declarations supplied in user-controlled input; an attacker can declare a SYSTEM entity that references a local file path (or internal URL), causing the parser to inline that resource into the response or trigger an out-of-band fetch. The affected CPE is cpe:2.3:a:schneider_electric:ecostruxure™_it_data_center_expert covering versions up to and including v9.1.1.
RemediationAI
Patch available per vendor advisory SEVD-2026-160-01 (https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-160-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-160-01.pdf) - apply the fixed EcoStruxure IT Data Center Expert build referenced in that bulletin; the exact fixed version is not independently confirmed in the provided intelligence, so consult the PDF directly. Until the upgrade is deployed, restrict the DCE SOAP service to a trusted management network segment via firewall ACLs (side effect: breaks remote integrations and northbound monitoring connectors that rely on SOAP), tightly review and minimize the population of low-privilege DCE user accounts to remove untrusted internal users (side effect: may disrupt operator/contractor workflows), and audit DCE host file contents to remove or relocate any plaintext secrets, credentials, or configuration files that an XXE read would expose. Egress filtering from the DCE host to the internet and internal sensitive endpoints reduces blind/out-of-band XXE exfiltration paths (side effect: may interfere with legitimate vendor telemetry or update channels).
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35446
GHSA-54hv-p86j-4879