CVE-2026-1227 is an XML External Entity (XXE) vulnerability classified under CWE-611 found in Schneider Electric's EcoStruxure Building Operation Workstation software. The vulnerability exists because the application improperly restricts XML external entity references when processing TGML graphics files uploaded by local users to the EBO server. This flaw allows an attacker with local access and the ability to upload a maliciously crafted TGML file to cause unauthorized disclosure of local files, potentially exposing sensitive configuration or credential data. Additionally, the attacker may interact with the EBO system in unintended ways or trigger denial of service conditions by exploiting the XML parser's behavior. The vulnerability affects all 7.0.x versions prior to 7.0.3.2000 (CP1). The CVSS v4.0 score is 7.0 (high), reflecting the need for local privileges and user interaction but highlighting the significant impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability poses a serious risk to building management systems that rely on EBO for operational control. The issue stems from insufficient validation and restriction of XML external entities during file processing, a common vector for XXE attacks. This vulnerability underscores the importance of secure XML parsing practices and strict input validation in industrial control and building automation software.

For European organizations, particularly those managing critical infrastructure, commercial buildings, and industrial facilities using Schneider Electric's EcoStruxure Building Operation Workstation, this vulnerability could lead to significant operational disruptions. Unauthorized disclosure of local files may expose sensitive system configurations or credentials, enabling further attacks or lateral movement within networks. Unauthorized interactions with the EBO system could compromise building automation controls, potentially affecting HVAC, lighting, or security systems, leading to safety risks or operational downtime. Denial of service conditions could disrupt building operations, impacting occupant comfort and safety. Given the widespread use of Schneider Electric products across Europe, especially in countries with advanced industrial and commercial sectors, the threat could have broad implications. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, especially in environments where multiple users have workstation access. The vulnerability could also be leveraged as part of a multi-stage attack targeting critical infrastructure, raising concerns for national security and public safety in Europe.

Organizations should prioritize upgrading EcoStruxure Building Operation Workstation to version 7.0.3.2000 (CP1) or later as soon as the patch becomes available from Schneider Electric. Until patched, restrict local user permissions to prevent unauthorized file uploads to the EBO server, especially restricting access to the TGML graphics file upload functionality. Implement strict access controls and monitoring on workstations running EBO to detect and prevent suspicious file uploads or modifications. Employ application whitelisting and endpoint protection to limit execution of unauthorized or malicious files. Conduct regular audits of user privileges and ensure that only trusted personnel have local access to EBO workstations. Network segmentation should be used to isolate building operation systems from general IT networks to reduce attack surface. Additionally, monitor logs for unusual activity related to XML processing or file uploads. Educate users about the risks of uploading untrusted files and enforce policies to prevent such actions. Finally, coordinate with Schneider Electric for timely updates and advisories.