CVE-2026-2273
CWE-94Published: March 10, 2026· Updated: Mar 11, 2026
Official Description
CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exist that could cause execution of untrusted commands on the engineering workstation which could result in a limited compromise of the workstation and a potential loss of Confidentiality, Integrity and Availability of the subsequent system when an authenticated user opens a malicious project file.
Technical Analysis
CVE-2026-2273 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
News & Research Mentioning CVE-2026-2273
View CSAF Summary Schneider Electric is aware of a vulnerability in its EcoStruxure™ Automation Expert product. The EcoStruxure™ Automation Expert product is plant automation software designed for digital control systems in discrete, hybrid and continuous industrial processes. A totally integrated automation solution designed to enhance your flexibility, efficiency and scalability. Failure to apply the remediation provided below may risk execution of arbitrary commands on the engineering workstation, which could result in a potential compromise of full system. The following versions of Schneider Electric EcoStruxure Automation Expert are affected: EcoStruxure™ Automation Expert vers:intdot/<25.0.1, 25.0.1 CVSS Vendor Equipment Vulnerabilities v3 8.2 [xlite_meta score:73 src:CISA Alerts xlite_fp:b30fae0691f0aa41ca4c236d130b54654e4f1875c5a1c60c997795366b11c090]
All References (1)
Quick Facts
Known Threat Actors
Related CVEs (CWE-94)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-2273 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts