Cleartext Storage Vulnerability (CVE‑2026‑6332) in Schneider Electric EcoStruxure Machine Expert HVAC Exposes Source Code
What It Is — Schneider Electric’s EcoStruxure Machine Expert HVAC programming suite (versions < 1.10.0) stores controller source code in cleartext. An authorized attacker who gains file‑system access can read the proprietary logic, compromising confidentiality.
Exploitability — No public exploit code is known, but the flaw is trivial to verify once file access is obtained. CVSS v3.1 5.5 (Moderate).
Affected Products — EcoStruxure Machine Expert HVAC (SEVD‑2026‑132‑01) for Modicon M171/M172 PLCs, all releases prior to 1.10.0.
TPRM Impact — Many industrial operators rely on this tool to develop and maintain control logic for critical infrastructure (chemical, energy, water, manufacturing). A breach of source code can:
- Reveal proprietary process algorithms, enabling competitive espionage or sabotage.
- Provide an attacker with a blueprint for future control‑system attacks downstream in the supply chain.
Recommended Actions —
- Immediately upgrade to EcoStruxure Machine Expert HVAC ≥ 1.10.0.
- Apply Schneider‑provided remediation patches (SEVD‑2026‑132‑01).
- Audit file‑system permissions on workstations and servers storing .ME files; enforce least‑privilege and encryption at rest.
- Conduct a review of all third‑party contracts that depend on this software and require proof of remediation.
- Monitor for anomalous access to PLC source‑code repositories.
Source: CISA Advisory – ICSA‑26‑148‑07