Skip to main content

EcoStruxure IT DCE EUVDEUVD-2026-35446

| CVE-2026-8045 HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2026-06-09 schneider GHSA-54hv-p86j-4879
7.1
CVSS 4.0 · Vendor: schneider
Share

Severity by source

Vendor (schneider) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (schneider) · only source for this CVE.

CVSS VectorVendor: schneider

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 18:49 vuln.today
CVSS changed
Jun 09, 2026 - 16:22 NVD
7.1 (HIGH)
CVE Published
Jun 09, 2026 - 14:41 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure of server-side file contents when an attacker with a Data Center Expert user account submits crafted XML payloads to SOAP service endpoints.

AnalysisAI

Server-side file disclosure in Schneider Electric EcoStruxure IT Data Center Expert v9.1.1 and prior allows authenticated users to read arbitrary files on the underlying host by submitting crafted XML payloads to SOAP service endpoints. The flaw stems from improper restriction of XML External Entity references (CWE-611) in the SOAP API. No public exploit identified at time of analysis, but CISA SSVC marks the issue as automatable with partial technical impact.

Technical ContextAI

EcoStruxure IT Data Center Expert (DCE) is Schneider Electric's vendor-neutral monitoring platform for data center physical infrastructure (UPS, PDU, cooling, environmental sensors), historically known as StruxureWare Data Center Expert. The product exposes SOAP web services for programmatic management and integrations. The root cause class - CWE-611 Improper Restriction of XML External Entity Reference - occurs when an XML parser resolves external entity declarations supplied in user-controlled input; an attacker can declare a SYSTEM entity that references a local file path (or internal URL), causing the parser to inline that resource into the response or trigger an out-of-band fetch. The affected CPE is cpe:2.3:a:schneider_electric:ecostruxure™_it_data_center_expert covering versions up to and including v9.1.1.

RemediationAI

Patch available per vendor advisory SEVD-2026-160-01 (https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-160-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-160-01.pdf) - apply the fixed EcoStruxure IT Data Center Expert build referenced in that bulletin; the exact fixed version is not independently confirmed in the provided intelligence, so consult the PDF directly. Until the upgrade is deployed, restrict the DCE SOAP service to a trusted management network segment via firewall ACLs (side effect: breaks remote integrations and northbound monitoring connectors that rely on SOAP), tightly review and minimize the population of low-privilege DCE user accounts to remove untrusted internal users (side effect: may disrupt operator/contractor workflows), and audit DCE host file contents to remove or relocate any plaintext secrets, credentials, or configuration files that an XXE read would expose. Egress filtering from the DCE host to the internet and internal sensitive endpoints reduces blind/out-of-band XXE exfiltration paths (side effect: may interfere with legitimate vendor telemetry or update channels).

Share

EUVD-2026-35446 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy