CVE-2026-8045
Analyzed Analyzed - Analysis Complete

Improper XXE in Schneider Electric Data Center Expert

Publication date: 2026-06-09

Last updated on: 2026-06-23

Assigner: Schneider Electric SE

Description
CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure of server-side file contents when an attacker with a Data Center Expert user account submits crafted XML payloads to SOAP service endpoints.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-23
Generated
2026-06-30
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-8045
EUVD
EUVD-2026-35446

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
schneider-electric struxureware_data_center_expert to 9.1.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

The impact of this vulnerability is information disclosure. An attacker with a valid user account can exploit the flaw to access sensitive files on the server, potentially exposing confidential data. This could compromise the security and privacy of the affected system and its data.

Compliance Impact

The provided information does not specify how CVE-2026-8045 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability, identified as CWE-611 Improper Restriction of XML External Entity Reference, exists in Schneider Electric's EcoStruxure IT Data Center Expert software versions 9.1.1 and prior. It allows an attacker who has a Data Center Expert user account to submit specially crafted XML payloads to SOAP service endpoints, which can lead to the disclosure of server-side file contents.

Detection Guidance

The vulnerability involves submitting crafted XML payloads to SOAP service endpoints to disclose server-side file contents. Detection would involve monitoring for unusual or crafted XML requests targeting these SOAP endpoints, especially those coming from users with Data Center Expert accounts.

Specific commands or tools to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, immediately update the EcoStruxure IT Data Center Expert software to version V9.1.2 or later, which includes a fix for this issue.

Follow proper patching methodologies such as using backups and testing patches in a controlled environment before deployment.

Additionally, implement general cybersecurity best practices including isolating control systems, securing physical access, and using secure remote access methods like VPNs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8045. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart