HomeIntelligenceBrief
VULNERABILITY BRIEF🟡 Medium ThreatIntel

Improper XML External Entity (XXE) in Schneider Electric EcoStruxure IT Data Center Expert (CVE-2026-8045) Risks Information Disclosure

Schneider Electric disclosed a CVE‑2026‑8045 XXE vulnerability in EcoStruxure IT Data Center Expert that may allow attackers with valid user accounts to retrieve server‑side files. Organizations using the product must patch promptly to maintain confidentiality controls required by SOC 2.

LiveThreat™ Intelligence · 📅 June 30, 2026· 📰 cisa.gov
🟡
Severity
Medium
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
cisa.gov

Improper XML External Entity (XXE) in Schneider Electric EcoStruxure IT Data Center Expert (CVE‑2026‑8045) Risks Information Disclosure

What It Is — Schneider Electric disclosed an XXE vulnerability (CVE‑2026‑8045) in EcoStruxure IT Data Center Expert versions ≤ 9.1.1 and 9.1.2. An attacker who already has a valid user account can submit a crafted XML payload to the product’s SOAP service, causing the server to return the contents of arbitrary files.

Exploitability — No public exploit code is known, but the flaw is exploitable by any authenticated user; CVSS v3.1 base score 6.5 (Medium).

Affected Products — Schneider Electric EcoStruxure IT Data Center Expert (versions ≤ 9.1.1, 9.1.2).

Why It Matters for Compliance & Audit Readiness

  • Continuous vendor‑risk monitoring must ingest advisories like this to demonstrate due‑diligence under SOC 2’s Confidentiality principle.
  • Prompt patching creates audit‑ready evidence that controls against third‑party software vulnerabilities are operating effectively.
  • Documented remediation supports SOC 2 System Operations and Change Management criteria, which enterprise buyers now demand as proof of a trustworthy supply chain.

Recommended Actions

  • Inventory all EcoStruxure IT Data Center Expert installations and verify their version numbers.
  • Apply Schneider Electric’s remediation patch immediately.
  • Update your third‑party risk register, capture patch‑deployment logs, and map the activity to SOC 2 CC6.1 (Security) and CC7.1 (Change Management) controls.

Source: CISA Advisory

📰 Original Source
https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-03

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →