CVE-2026-1226 identifies a code injection vulnerability classified under CWE-94 in Schneider Electric's EcoStruxure Building Operation Workstation, specifically affecting all 7.0.x versions prior to 7.0.2. The flaw stems from improper control over the generation of code when the application processes TGML (Tridium Graphics Markup Language) graphics files containing maliciously crafted design content. This vulnerability allows an attacker to execute untrusted or unintended code within the context of the application. The CVSS 4.0 base score is 7.0 (high severity), with an attack vector of local (AV:L), low attack complexity (AC:L), no authentication required (AT:N), privileges required are low (PR:L), and user interaction is required (UI:P). The vulnerability impacts confidentiality, integrity, and availability at a high level, as the attacker could execute arbitrary code, potentially leading to unauthorized control or disruption of building management operations. Although no known exploits are reported in the wild, the risk is significant due to the critical nature of building operation systems in managing HVAC, lighting, and security controls. The vulnerability does not have a patch link yet, indicating that remediation may still be pending or in progress. The improper code generation issue highlights a failure in input validation and sanitization of TGML files, which are used to define graphical interfaces and controls within the workstation software. Attackers with local access and low privileges could craft malicious TGML files that, when processed, trigger code execution, potentially escalating privileges or disrupting system functions.

For European organizations, this vulnerability poses a substantial risk to the security and operational continuity of critical building management systems. EcoStruxure Building Operation Workstation is widely used in commercial buildings, industrial facilities, and critical infrastructure across Europe to control HVAC, lighting, and security systems. Exploitation could lead to unauthorized code execution, resulting in data breaches, manipulation of building controls, operational downtime, or safety hazards. Confidentiality could be compromised if attackers gain access to sensitive operational data. Integrity is at risk as attackers could alter system behavior or configurations. Availability could be disrupted by causing system crashes or denial of service. Given the reliance on these systems for energy management and security, the impact extends beyond IT to physical safety and regulatory compliance. The requirement for local access and user interaction somewhat limits remote exploitation but insider threats or compromised user accounts could facilitate attacks. The absence of known exploits provides a window for proactive mitigation before widespread attacks occur.

Organizations should urgently upgrade EcoStruxure Building Operation Workstation to version 7.0.2 or later once available. Until patches are deployed, implement strict access controls to limit local access to trusted personnel only. Enforce robust user training to prevent opening or processing untrusted TGML files. Employ application whitelisting and endpoint protection solutions to detect and block suspicious code execution attempts. Conduct regular audits of workstation configurations and monitor logs for unusual activity related to TGML file processing. Isolate building operation workstations from general user networks to reduce exposure. Collaborate with Schneider Electric support for guidance on interim mitigations and monitor for official patches or advisories. Consider deploying network segmentation and intrusion detection systems tailored to building management protocols to detect exploitation attempts. Finally, establish incident response plans specific to building operation system compromises.