CVE-2026-1227 is an XML External Entity (XXE) vulnerability classified under CWE-611 affecting Schneider Electric's EcoStruxure Building Operation (EBO) Workstation. The vulnerability exists due to improper restriction of XML external entity references when processing TGML graphics files uploaded locally to the EBO server from the Workstation. An attacker with local access can craft a malicious TGML file containing external entity references that the XML parser processes insecurely. This can lead to unauthorized disclosure of local files on the server, unintended interactions within the EBO system potentially altering its behavior, or denial of service by causing the server to crash or hang. The vulnerability affects all 7.0.x versions prior to 7.0.3.2000 (CP1). The CVSS 4.0 base score is 7.0 (high), reflecting that exploitation requires local privileges and user interaction but can cause high confidentiality, integrity, and availability impacts. No public exploits are known, but the vulnerability poses a significant risk in environments where local user access is possible. The root cause is the lack of proper validation and restriction on XML external entity processing in the TGML file handler component of the EBO Workstation server. This vulnerability highlights the importance of secure XML parsing practices, such as disabling external entity resolution or using safe parsing libraries. Schneider Electric has reserved the CVE and published the advisory, but no patch links are currently provided, indicating that remediation may be pending or available in the specified fixed version.

For European organizations, especially those managing critical infrastructure and building automation systems, this vulnerability poses a significant risk. Unauthorized disclosure of local files could expose sensitive configuration data, credentials, or operational details, facilitating further attacks. Unintended interactions within the EBO system could disrupt building management functions such as HVAC, lighting, or security controls, potentially impacting occupant safety and operational continuity. Denial of service conditions could render the building operation system unavailable, causing operational downtime and financial losses. Given the reliance on Schneider Electric's EcoStruxure platform in many European commercial and industrial facilities, exploitation could have cascading effects on facility management and safety. The requirement for local user access limits remote exploitation but insider threats or compromised local accounts increase risk. The high confidentiality, integrity, and availability impacts make this vulnerability critical to address in environments with stringent security and operational requirements.

1. Immediately upgrade all affected EcoStruxure Building Operation Workstation installations to version 7.0.3.2000 (CP1) or later, where the vulnerability is addressed. 2. Restrict local user access to the Workstation upload functionality, ensuring only trusted administrators can upload TGML graphics files. 3. Implement strict access controls and monitoring on systems running EBO Workstation to detect and prevent unauthorized local access. 4. Disable XML external entity processing in the TGML file parser if configurable, or apply XML parsing libraries that enforce secure defaults. 5. Conduct regular audits of local user accounts and permissions on EBO servers to minimize insider threat risk. 6. Monitor system logs for unusual file upload activities or errors indicative of exploitation attempts. 7. Establish incident response procedures specific to building management systems to quickly respond to potential exploitation. 8. Coordinate with Schneider Electric support for any interim patches or workarounds if immediate upgrade is not feasible.