usd-2025-44 | EcoStruxure Building Operation - WorkStation 7.0.2.348 - XML Entity Expansion (Billion Laughs Attack)

Product: EcoStruxure Building Operation - WorkStation
Affected Version: 7.0.2.348
Vulnerability Type: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') (CWE-776)
Security Risk: MEDIUM
Vendor: Schneider Electric
Vendor URL: https://ecostruxure-building-help.se.com/bms/topics/show.castle?id=8064&locale=en-US&productversion=7.0
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2026-1227
CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2026-1227
Advisory ID: usd-2025-44

Description

The XML interpreter allows the recursive resolution of arbitrary XML entities.

The XML specification allows the definition of entities that can reference other entities within the same document.
When the XML parser processes such documents, it must resolve these references recursively, which can result in an exponential increase in resource consumption depending on the level of recursion.

As a result, even a short XML message can cause an excessively high load on the server.
Attackers may exploit this behavior to perform a denial of service (DoS) attack without the need for extensive resources or infrastructure.

Proof of Concept

The tgml-viewer accepts malicious Graphics in TGML format with XML including DTD/ENTITY declarations.
In the following excerpt, a specially crafted TGML document is shown:

<?xml version="1.0"?>
<!DOCTYPE tgml
[
<!-- 1. Internal entity -->
<!ENTITY a3 "hello" >
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
<?tgml version="2.0"?>
<Tgml Background="#E0E0E0" ComponentCounter="4" GridSize="10">
<!-- XEE Test -->
<Text FontFamily="Arial" FontSize="20" FontStyle="Normal"
FontWeight="Normal" HorizontalAlign="Left" Left="0.0"
Opacity="1.0" TextDecoration="None" Top="40.0"
VerticalAlign="Top">
XEE Test: &a4;
</Text>
</Tgml>

A new graphic was created using the malicious TGML document:

When inspecting the newly created Graphic in WorkStation, it is evident that the entity expansion was successful.
The following excerpt proves this:

  • NOTE: The expansion was kept so small that no denial of service was triggered, so as not to jeopardize ongoing operations.

Fix

It is recommended to disable XML entity processing if it is not required.
Alternatively, the number of entities which may be resolved per request can be limited.
It is also possible to limit the number of characters to which an entity can expand.

References

A official advisory by Schneider Electric can be found here: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-041-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-041-02.pdf

Timeline

  • 2025-09-12: Vulnerabilities reported to Schneider Electric
  • 2026-09-19: Schneider Electric assign the internal IDs SE-20492, SE-20493 and SE-20494
  • 2026-01-02: After multiple follow-ups, the vendor reports that the investigation of the report is finished and that a fix will be released in Q1 2026
  • 2026-07-14: This advisory is published.

Credits

This security vulnerability was identified by Robin Plugge of usd AG.