Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized attacker accesses the source code for editing or compiling it.
AnalysisAI
Source code disclosure vulnerability in Schneider Electric EcoStruxure Machine Expert HVAC versions prior to 1.10.0 allows authorized users with local access to view protected source code stored in cleartext, resulting in loss of confidentiality and potential exposure of proprietary logic. The vulnerability requires local authenticated access and is rooted in improper protection of sensitive information at rest; no active exploitation or public exploit code has been identified.
Technical ContextAI
This vulnerability is a cleartext storage issue (CWE-312) affecting the EcoStruxure Machine Expert HVAC industrial automation platform. The flaw manifests when authorized users with local machine access (PR:L) can edit or compile source code, revealing information stored without cryptographic protection. EcoStruxure Machine Expert is a Schneider Electric engineering platform used for HVAC (Heating, Ventilation, and Air Conditioning) system design and commissioning. The root cause is the absence of encryption or access controls protecting intellectual property stored on the local file system, allowing privilege-escalation or insider threats to extract proprietary algorithms and system designs.
RemediationAI
Upgrade EcoStruxure Machine Expert HVAC to version 1.10.0 or later, which addresses the cleartext storage issue. Consult Schneider Electric security advisory SEVD-2026-132-01 (https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-132-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-132-01.pdf) for patch availability and deployment guidance. Until patching is possible, implement compensating controls: restrict local access to engineering workstations to authorized personnel only using OS-level access controls; encrypt the workstation's file system or partition containing EcoStruxure projects using BitLocker (Windows) or LUKS (Linux) to protect source code at rest; isolate engineering networks from production and internet-facing systems to limit physical/network access opportunities; audit and log all user access to source code repositories and editing sessions. These controls mitigate insider and credential-compromise threats but do not eliminate the underlying cleartext storage vulnerability.
Same weakness CWE-312 – Cleartext Storage of Sensitive Information
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30346
GHSA-vg4w-v23f-w7r7