Schneider Electric fixes multiple EcoStruxure flaws, including Foxboro DCS RCE risk
Schneider Electric published a set of security advisories covering multiple EcoStruxure and Modicon product lines, with impacts ranging from remote code execution to loss of confidentiality and integrity and security policy bypass. Affected products named across the notices include EcoStruxure Foxboro DCS, EcoStruxure Automation Expert, EcoStruxure IT Data Center Expert, EcoStruxure Power Monitoring Expert, EcoStruxure Power Operation Advanced Reporting and Dashboards Module, and several Modicon PLC families. National cyber agencies in Canada and France urged organizations to review Schneider Electric bulletins and apply vendor-provided mitigations and updates.
One of the disclosed issues, tracked by CISA for EcoStruxure Foxboro DCS, is a deserialization of untrusted data flaw (CWE-502) affecting workstation and server components in versions prior to CS8.1; Schneider said Control Core Services and runtime components such as FCPs, FDCs, and FBMs are not affected. The vulnerability can enable loss of confidentiality and integrity and possible remote code execution if an administrator-authenticated user opens a malicious project file on a vulnerable workstation. The broader March advisory set references CVE-2025-11739, CVE-2025-13957, CVE-2026-1286, and CVE-2026-2273, and defenders are being told to prioritize patching alongside standard ICS protections such as network segmentation, firewalling, restricted access, and secured remote connectivity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CERT-FR publishes IT Data Center Expert vulnerability notice
CERT-FR published a notice about a vulnerability in Schneider Electric EcoStruxure IT Data Center Expert products. The notice said the issue could allow compromise of data confidentiality, but provided no CVE, affected versions, exploitation status, or remediation details.
CISA republishes Foxboro DCS vulnerability advisory
CISA published ICS advisory ICSA-26-083-02 covering Schneider Electric's disclosure of a deserialization vulnerability in EcoStruxure Foxboro DCS affecting versions prior to CS8.1. The advisory stated the flaw could enable loss of confidentiality, integrity, and possible remote code execution if an administrator-authenticated user opens a malicious project file on a vulnerable workstation.
CERT-FR issues advisory on Schneider Electric vulnerabilities
CERT-FR published an advisory documenting multiple vulnerabilities in Schneider Electric products and referencing CVE-2025-11739, CVE-2025-13957, CVE-2026-1286, and CVE-2026-2273. The advisory highlighted risks including remote code execution, confidentiality and integrity compromise, and security policy bypass.
Schneider Electric publishes multiple product security bulletins
On March 10, 2026, Schneider Electric published multiple security bulletins covering vulnerabilities across EcoStruxure and Modicon product lines, including Foxboro DCS, Automation Expert, IT Data Center Expert, Power Monitoring Expert, Power Operation modules, and several Modicon PLC families. The bulletins advised customers to review vendor notifications and apply patches or mitigations.
Schneider Electric starts new notification campaign
CERT-FR noted a "new notification campaign" related to multiple Schneider Electric product vulnerabilities. The notice explicitly anchors this campaign as of February 26, 2026.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Vulnérabilité dans les produits Schneider Electric EcoStruxure IT Data Center Expert - CERT-FR
cert.ssi.gouv.fr
Open sourceSchneider Electric EcoStruxure Foxboro DCS | CISA
cisa.gov
Open source[Control systems] Schneider Electric security advisory (AV26-210) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceMultiples vulnérabilités dans les produits Schneider Electric - CERT-FR
cert.ssi.gouv.fr
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Denial-of-Service Vulnerability in Schneider Electric EcoStruxure OPC UA Server Expert
CISA and Schneider Electric disclosed a critical vulnerability in the EcoStruxure OPC UA Server Expert and Modicon Communication Server products, which are widely deployed in commercial facilities, critical manufacturing, and energy sectors. The flaw, tracked as CVE-2024-10085, is an 'allocation of resources without limits or throttling' issue that allows remote attackers to cause a denial of service by sending a large number of OPC UA requests, potentially resulting in the loss of real-time process data from Modicon Controllers. The vulnerability has a CVSS v3.1 base score of 7.5 and a CVSS v4 base score of 8.2, indicating a high level of risk, and was reported by Jin Huang of ADLab of Venustech. Schneider Electric has released a fix for the EcoStruxure OPC UA Server Expert in version SV2.01 SP3, which is available for download. For users unable to immediately apply the update, Schneider Electric recommends implementing specific mitigations to reduce the risk of exploitation. A permanent remediation plan is also being developed for all future versions of the Modicon Communication Server. CISA urges asset owners and operators in affected sectors to review the advisories and apply the recommended mitigations to protect against potential denial-of-service attacks targeting these critical industrial control systems.
Mar 21, 2026
CISA ICS Advisories Highlight Multiple High-Impact Vulnerabilities Across Industrial and IoT Products
CISA published multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities across a range of OT and connected-device products, including **critical** issues in *AVEVA Process Optimization* (multiple CVEs) that could enable unauthenticated **remote code execution**, SQL injection, privilege escalation, and sensitive data exposure in affected versions (<=2024.1). Additional advisories describe flaws in several **Siemens** product lines, including a DoS condition in **SIMATIC/SIPLUS ET 200** components triggered via an S7 protocol disconnect request (`CVE-2025-40944`), a TLS certificate upload input-validation issue that can crash/reboot **RUGGEDCOM ROS** devices (`CVE-2025-40935`), a local privilege escalation in **TeleControl Server Basic** prior to V3.1.2.4 (`CVE-2025-40942`), and multiple issues in **SINEC Security Monitor** (including improper authorization in `ssmctl-client` file transfer and report-generation DoS; `CVE-2025-40830`, `CVE-2025-40831`). CISA also noted vulnerabilities affecting **Siemens Industrial Edge** ecosystems, including an authorization bypass in the **Industrial Edge Device Kit** (`CVE-2025-40805`) and authentication enforcement weaknesses on specific API endpoints in **Industrial Edge Devices** that could allow impersonation if an attacker knows a legitimate user identity. Other CISA advisories covered **Schneider Electric EcoStruxure Power Build Rapsody** (`CVE-2025-13844`), where importing a malicious project file (SSD) could trigger memory corruption (e.g., double free/use-after-free) and potentially arbitrary code execution, and **Rockwell Automation FactoryTalk DataMosaix Private Cloud** (`CVE-2025-12807`), where low-privilege users could perform sensitive database operations via exposed API endpoints (SQL injection class). Separately, CISA warned about **YoSmart/YoLink** weaknesses (multiple CVEs) including insufficient authorization controls in the MQTT broker enabling cross-account device control when device IDs are obtained (with IDs described as predictable), plus additional issues such as cleartext transmission and predictable identifiers. A non-CISA item in the set reported Cisco releasing updates for a max-severity **AsyncOS** vulnerability under active exploitation (`CVE-2025-20393`) affecting *Secure Email Gateway* and *Secure Email and Web Manager* appliances, including evidence of attacker-installed persistence and attribution by Cisco Talos to **UAT-9686**; this is a separate enterprise email-security incident and not part of the ICS advisory set.
Mar 21, 2026
Siemens Issues Security Updates for Multiple Industrial and Engineering Products
**Siemens published security advisories for multiple products**, prompting both CISA ICS advisories and a Canadian Centre for Cyber Security alert covering a broad set of affected industrial/engineering software and OT-adjacent components. Reported issues include a **stored XSS** in *Siemens Polarion* (CVE-2025-40587; CVSS 7.6) where authenticated users can inject JavaScript via crafted document titles, and **local privilege escalation** paths in *Siemens SINEC NMS* and its *User Management Component (UMC)* (CVE-2026-25655, CVE-2026-25656; CVSS 7.8) that allow low-privileged users to modify configuration/search paths to load malicious DLLs and potentially gain elevated execution (including SYSTEM-level impact). Siemens also addressed a **missing authorization** condition affecting *Siveillance Video Management Servers* Webhooks/MIP Webhooks API (CVSS 6.3), enabling a read-only user to obtain full API access. Additional advisories cover file-parsing and third-party component risks that can lead to crashes or potential code execution. *Siemens NX* is affected by multiple **CGM file parsing** flaws (CVE-2026-22923/22924/22925; CVSS 7.8) that can be triggered when a user opens a malicious file, and *Siemens Solid Edge* includes an **out-of-bounds read** in the PS/IGES Parasolid translator when processing crafted IGS files (CVSS 7.8). *Desigo CC* and *SENTRON Powermanager* are impacted via the third-party *WIBU Systems CodeMeter Runtime* chain tied to **CVE-2023-38545** (curl SOCKS5 heap overflow; CVSS 8.8), with Siemens providing component update instructions. *Siemens SINEC OS* before V3.3 aggregates a large set of third-party CVEs across supported platforms, and *Siemens COMOS* advisories include multiple issues (up to CVSS 10) spanning potential code execution, DoS, data exposure, and access control violations; Siemens recommends updating where fixes are available and applying countermeasures where they are not yet released.
May 14, 2026