CVE-2026-1226 is a vulnerability classified under CWE-94, indicating improper control of code generation, specifically a code injection flaw within Schneider Electric's EcoStruxure Building Operation Workstation software. This vulnerability exists in all 7.0.x versions prior to 7.0.2. The issue arises when the application processes TGML (a proprietary graphics markup language) files containing maliciously crafted design content. Due to insufficient validation or sanitization of these files, an attacker can inject and execute unintended or untrusted code within the context of the application. The vulnerability requires local access with low privileges (AV:L, PR:L) and some user interaction (UI:P), but does not require authentication (AT:N). The impact on confidentiality, integrity, and availability is high (VC:H, VI:H, VA:H), indicating that successful exploitation could lead to full compromise of the workstation and potentially the building operation environment it manages. The vulnerability does not require network access (AV:L), limiting remote exploitation but still posing a significant risk in environments where local access can be obtained, such as through social engineering or insider threats. No known exploits have been reported in the wild, but the high CVSS score (7.0) and the critical nature of building management systems make this a serious concern. The vulnerability was published on February 11, 2026, and no official patches are linked yet, emphasizing the need for immediate attention from affected users.

For European organizations, particularly those managing critical infrastructure and smart building environments, this vulnerability poses a substantial risk. Exploitation could allow attackers to execute arbitrary code on workstations controlling building operations, potentially leading to unauthorized control over HVAC, lighting, security systems, and other critical functions. This could result in operational disruptions, safety hazards, data breaches, and loss of system integrity. Given the reliance on Schneider Electric's EcoStruxure platform in many European commercial buildings, industrial facilities, and public infrastructure, the impact could extend to economic losses and reputational damage. The requirement for local access and user interaction somewhat limits the attack vector but does not eliminate the threat, especially in environments with multiple users or insufficient access controls. The high confidentiality, integrity, and availability impact ratings indicate that successful exploitation could compromise sensitive operational data and disrupt essential services.

1. Immediately upgrade EcoStruxure Building Operation Workstation installations to version 7.0.2 or later once available to apply the official patch. 2. Until patches are applied, restrict local access to workstations running the affected software, enforcing strict physical and logical access controls. 3. Implement application whitelisting and endpoint protection to detect and block execution of unauthorized code. 4. Enforce strict validation and scanning of all TGML graphics files before processing, including sandboxing or quarantining untrusted files. 5. Conduct user awareness training to reduce the risk of social engineering attacks that could lead to local access or user interaction exploitation. 6. Monitor logs and system behavior for unusual activity indicative of code injection attempts. 7. Segment building operation networks from general IT networks to limit lateral movement in case of compromise. 8. Review and tighten user privileges on workstations to minimize the potential impact of low-privilege local exploits.