Schnieider Electric EcoStruxure Machine Expert HVAC
Schneider Electric EcoStruxure Machine Expert HVAC versions prior to 1.10.0 are affected by a cleartext storage vulnerability (CVE-2026-6332, CVSS 5.5). This flaw allows an authorized local attacker accessing the software to view sensitive information, leading to the potential disclosure of protected source code and a loss of confidentiality. Updating to version 1.10.0 resolves the issue.
Authors: CISA, Schneider Electric CPCERT
Source:
CISA
- cve
Detection / HunterGoogle
What Happened
A vulnerability was discovered in Schneider Electric's EcoStruxure Machine Expert HVAC software, which is used to program industrial controllers. The flaw affects versions older than 1.10.0 and could allow an attacker with local access to view sensitive source code stored in cleartext. This could lead to the theft of proprietary logic or further compromise of industrial systems. Users should update the software to version 1.10.0 and ensure their industrial networks are isolated from the internet.
Key Takeaways
- Schneider Electric EcoStruxure Machine Expert HVAC versions prior to 1.10.0 contain a cleartext storage vulnerability.
- The vulnerability (CVE-2026-6332) allows an authorized local attacker to access sensitive information, potentially revealing protected source code.
- Schneider Electric has released version 1.10.0 to remediate this medium-severity (CVSS 5.5) issue.
- Organizations are strongly advised to isolate industrial control networks and restrict physical and network access to controllers.
Affected Systems
- Schneider Electric EcoStruxure Machine Expert HVAC versions prior to 1.10.0
- Modicon M171-M172 logic controllers (programmed by the affected software)
Vulnerabilities (CVEs)
- CVE-2026-6332
Attack Chain
An authorized attacker gains local access to a system running a vulnerable version of EcoStruxure Machine Expert HVAC. The attacker accesses the source code for editing or compiling. Due to the software storing sensitive information in cleartext, the attacker is able to read and extract protected source code, resulting in a loss of confidentiality.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules are provided in the advisory.
Detection Engineering Assessment
EDR Visibility: Low — The vulnerability involves an authorized user reading cleartext files locally, which closely resembles legitimate application usage and is unlikely to trigger standard EDR alerts. Network Visibility: None — This is a local vulnerability (AV:L) that does not generate distinct network traffic during exploitation. Detection Difficulty: Hard — Distinguishing between a legitimate developer accessing source code and an authorized attacker exploiting the cleartext storage is extremely difficult without strict behavioral baselining of user activity.
Required Log Sources
- File Access Logs
- Application Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for unusual access patterns to EcoStruxure Machine Expert HVAC project files by users or processes that do not typically compile or edit source code. | File Access Logs | Collection | High |
Control Gaps
- Lack of encryption at rest for sensitive project files and source code in older versions of the software.
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider updating EcoStruxure Machine Expert HVAC to version 1.10.0 or later where supported by your tooling.
Infrastructure Hardening
- Evaluate whether control and safety system networks can be located behind firewalls and isolated from the business network.
- Consider placing all controllers in locked cabinets and ensure they are never left in 'Program' mode.
- If remote access is required, consider using secure methods such as Virtual Private Networks (VPNs) and ensure they are updated to the most current version.
User Protection
- Consider implementing physical controls so unauthorized personnel cannot access industrial control systems, components, or peripheral equipment.
- Evaluate procedures to scan all methods of mobile data exchange (CDs, USB drives) before use in terminals connected to isolated networks.
- Consider restricting mobile devices that have connected to other networks from connecting to safety or control networks without proper sanitation.
Security Awareness
- Consider training personnel on the risks of connecting programming software to any network other than the network intended for that device.
MITRE ATT&CK Mapping
- T1005 - Data from Local System