Skip to main content

EcoStruxure Machine Expert HVAC EUVDEUVD-2026-30346

| CVE-2026-6332 MEDIUM
Cleartext Storage of Sensitive Information (CWE-312)
2026-05-14 schneider GHSA-vg4w-v23f-w7r7
6.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 19:45 vuln.today
CVSS changed
May 14, 2026 - 18:22 NVD
6.8 (MEDIUM)
CVE Published
May 14, 2026 - 16:54 nvd
UNKNOWN (no severity yet)
CVE Published
May 14, 2026 - 16:54 nvd
MEDIUM 6.8

DescriptionCVE.org

CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized attacker accesses the source code for editing or compiling it.

AnalysisAI

Source code disclosure vulnerability in Schneider Electric EcoStruxure Machine Expert HVAC versions prior to 1.10.0 allows authorized users with local access to view protected source code stored in cleartext, resulting in loss of confidentiality and potential exposure of proprietary logic. The vulnerability requires local authenticated access and is rooted in improper protection of sensitive information at rest; no active exploitation or public exploit code has been identified.

Technical ContextAI

This vulnerability is a cleartext storage issue (CWE-312) affecting the EcoStruxure Machine Expert HVAC industrial automation platform. The flaw manifests when authorized users with local machine access (PR:L) can edit or compile source code, revealing information stored without cryptographic protection. EcoStruxure Machine Expert is a Schneider Electric engineering platform used for HVAC (Heating, Ventilation, and Air Conditioning) system design and commissioning. The root cause is the absence of encryption or access controls protecting intellectual property stored on the local file system, allowing privilege-escalation or insider threats to extract proprietary algorithms and system designs.

RemediationAI

Upgrade EcoStruxure Machine Expert HVAC to version 1.10.0 or later, which addresses the cleartext storage issue. Consult Schneider Electric security advisory SEVD-2026-132-01 (https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-132-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-132-01.pdf) for patch availability and deployment guidance. Until patching is possible, implement compensating controls: restrict local access to engineering workstations to authorized personnel only using OS-level access controls; encrypt the workstation's file system or partition containing EcoStruxure projects using BitLocker (Windows) or LUKS (Linux) to protect source code at rest; isolate engineering networks from production and internet-facing systems to limit physical/network access opportunities; audit and log all user access to source code repositories and editing sessions. These controls mitigate insider and credential-compromise threats but do not eliminate the underlying cleartext storage vulnerability.

Share

EUVD-2026-30346 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy