CVE-2026-2273: Schneider Electric EcoStruxure Automation Expert RCE

Schneider Electric has issued a security advisory regarding a high-severity vulnerability in its EcoStruxure Automation Expert software, according to CISA. The flaw, identified as CVE-2026-2273, involves improper control of code generation. If exploited, this CVE allows an attacker to execute arbitrary commands on the engineering workstation, potentially leading to a total system compromise.

EcoStruxure Automation Expert is an integrated plant automation software suite used primarily for digital control systems in discrete, hybrid, and continuous industrial processes. Because these workstations often serve as the central point for managing logic and configurations for industrial hardware, a successful RCE attack could grant an adversary significant influence over critical infrastructure operations.

Technical Analysis of CVE-2026-2273

The vulnerability is classified as CWE-94: Improper Control of Generation of Code (‘Code Injection’). It carries a CVSS v3.1 base score of 8.2. The attack vector is localized, requiring an authenticated user to open a malicious project file. While this requires user interaction, the complexity of modern industrial automation projects makes it difficult for users to distinguish between legitimate and tampered archive files.

From a threat intelligence perspective, this TTP is reminiscent of campaigns conducted by an APT targeting the energy and manufacturing sectors. Attackers often use Phishing to deliver malicious files to engineers. Once the project file is opened and the code is injected, the attacker gains a foothold on the engineering workstation. This position is ideal for Lateral Movement into the broader control network or for modifying PLC (Programmable Logic Controller) logic, which is a common stage in the MITRE ATT&CK for ICS framework.

When evaluating how to detect CVE-2026-2273 exploit attempts, security teams should focus on file integrity monitoring and unusual child process spawning from the automation software suite. If the software suddenly initiates command-line tools or PowerShell instances without a direct user-initiated action, it may indicate that a malicious project file has triggered an unauthorized command.

Schneider Electric EcoStruxure Automation Expert Patch Guidance

The primary remediation for this vulnerability is to upgrade the affected software to EcoStruxure Automation Expert version 25.0.1 or later. Schneider Electric has confirmed that this version contains the necessary fixes to prevent untrusted command execution through malicious project files. Organizations should prioritize this update within their maintenance windows, particularly those operating in the critical manufacturing and energy sectors.

For environments where an immediate update is not feasible, mitigating code injection in industrial control systems requires strict administrative controls. Schneider Electric recommends that all solution and archive files be stored within the user’s home directory or other locations secured by restrictive Windows file-system access controls. This prevents unauthorized users in multi-user environments from tampering with project data before it is accessed by an engineer.

Operational Recommendations

Beyond patching, the SOC should ensure that engineering workstations are isolated from the business network and the public internet. Utilizing EDR solutions on these workstations can help identify the execution of suspicious scripts or binaries. Furthermore, SIEM logs should be reviewed for any unauthorized modifications to project archives or unusual network traffic originating from the engineering workstation to the corporate domain, which could signal a compromise in progress.