Improper XML External Entity (XXE) in Schneider Electric EcoStruxure IT Data Center Expert (CVE‑2026‑8045) Risks Information Disclosure
What It Is — Schneider Electric disclosed an XXE vulnerability (CVE‑2026‑8045) in EcoStruxure IT Data Center Expert versions ≤ 9.1.1 and 9.1.2. An attacker who already has a valid user account can submit a crafted XML payload to the product’s SOAP service, causing the server to return the contents of arbitrary files.
Exploitability — No public exploit code is known, but the flaw is exploitable by any authenticated user; CVSS v3.1 base score 6.5 (Medium).
Affected Products — Schneider Electric EcoStruxure IT Data Center Expert (versions ≤ 9.1.1, 9.1.2).
Why It Matters for Compliance & Audit Readiness
- Continuous vendor‑risk monitoring must ingest advisories like this to demonstrate due‑diligence under SOC 2’s Confidentiality principle.
- Prompt patching creates audit‑ready evidence that controls against third‑party software vulnerabilities are operating effectively.
- Documented remediation supports SOC 2 System Operations and Change Management criteria, which enterprise buyers now demand as proof of a trustworthy supply chain.
Recommended Actions
- Inventory all EcoStruxure IT Data Center Expert installations and verify their version numbers.
- Apply Schneider Electric’s remediation patch immediately.
- Update your third‑party risk register, capture patch‑deployment logs, and map the activity to SOC 2 CC6.1 (Security) and CC7.1 (Change Management) controls.
Source: CISA Advisory