Executive Summary

On March 19, 2026, CISA published an Industrial Controls Systems (ICS) advisory (ICSA-26-078-03) for a critical vulnerability in Schneider Electric's EcoStruxure Automation Expert software. The vulnerability, CVE-2026-2273, is a code injection flaw with a CVSS v3 score of 8.2 (High). An authenticated attacker could exploit this by convincing a legitimate user to open a malicious project file. Successful exploitation allows for arbitrary command execution on the engineering workstation, potentially leading to a full system compromise and creating a significant risk for the associated industrial environment. Schneider Electric has released software version 25.0.1 to address the vulnerability.

Vulnerability Details

• CVE ID: CVE-2026-2273
• Vulnerability Type: Improper Control of Generation of Code ('Code Injection')
• CVSS Score: 8.2 (High)
• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: Required

The vulnerability exists within the project file handling mechanism of the EcoStruxure Automation Expert software. An attacker can craft a malicious project file containing arbitrary commands. When an authenticated user opens this file on their engineering workstation, the embedded commands are executed with the privileges of that user. Since engineering workstations are highly privileged and have direct access to ICS/OT networks, their compromise is a critical security event.

Affected Systems

• Product: Schneider Electric EcoStruxure Automation Expert
• Affected Versions: All versions prior to 25.0.1

This software is used across multiple critical infrastructure sectors, including Commercial Facilities, Critical Manufacturing, and Energy.

Exploitation Status

The vulnerability was reported to CISA by Schneider Electric. There is no mention of active exploitation in the wild. The advisory is a proactive measure to encourage asset owners to patch before the flaw can be weaponized.

Impact Assessment

The compromise of an engineering workstation (EWS) in an ICS environment is a high-impact event. An attacker achieving arbitrary command execution on an EWS could:

• Steal Credentials: Harvest credentials for PLCs, HMIs, and other control system components.
• Manipulate Control Logic: Modify, disrupt, or shut down physical processes by pushing malicious code to controllers (T0831 - Manipulation of Control).
• Pivot to OT Network: Use the compromised EWS as a beachhead to move deeper into the Operational Technology network, bypassing security controls like firewalls that separate IT and OT.
• Install Malware: Deploy ransomware, wipers, or spyware tailored for ICS environments.

Successful exploitation could lead to production downtime, equipment damage, or even unsafe operating conditions.

Detection Methods

1. File Analysis (D3FEND: File Analysis): Scan incoming project files (.axp or similar) for suspicious scripts, embedded executables, or other anomalies. Use sandboxing to open untrusted project files to observe their behavior.
2. Endpoint Monitoring: Use an EDR solution on engineering workstations to monitor for suspicious process execution originating from the AutomationExpert.exe process. For example, AutomationExpert.exe spawning powershell.exe or cmd.exe is highly anomalous.
3. User Training: The exploit requires user interaction. Train engineers and operators to be highly suspicious of project files from untrusted sources (e.g., email attachments, USB drives).

Remediation Steps

1. Upgrade Software (D3FEND: Software Update): The primary mitigation is to upgrade EcoStruxure Automation Expert to version 25.0.1 or later.
2. Verify File Authenticity: As a compensating control, organizations should implement strict procedures for handling project files. Only open files from trusted, verified sources. Use file hashing or digital signatures to verify the integrity of project files before use.
3. Secure File Storage: Store project files in protected directories with restricted access permissions to prevent unauthorized modification.
4. ICS Network Best Practices:
   • Minimize network exposure for all control system devices and workstations. Engineering workstations should not have direct internet access.
   • Isolate the ICS network from the business (IT) network using firewalls and unidirectional gateways where appropriate.
   • Enforce the principle of least privilege for all users and applications on the EWS.