Schneider Electric fixed a cleartext storage vulnerability in its EcoStruxure Machine Expert HVAC software on May 12, 2026. The flaw, tracked as CVE-2026-6332, allows source code to be stored in plaintext, potentially exposing sensitive intellectual property and control logic. Versions of EcoStruxure Machine Expert HVAC before 1.10.0 are affected. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) republished the advisory, underscoring the risk to industrial control systems.

What is EcoStruxure Machine Expert HVAC?

EcoStruxure Machine Expert HVAC is a specialized engineering software package from Schneider Electric. It lets building automation professionals program, configure, and commission HVAC controllers used in commercial and industrial facilities. The tool runs on Windows-based engineering workstations and generates source code for custom control applications. Because these controllers manage critical systems like air handling, heating, and cooling, any compromise of their logic can have serious operational consequences.

The software integrates with Schneider's EcoStruxure architecture, which connects building management systems to edge devices and cloud analytics. Engineers write custom programs in languages like Structured Text or ladder logic, which are then compiled and deployed to field controllers. The cleartext storage issue means that this proprietary code can be read directly from the file system without decryption or authentication.

Details of the Vulnerability

CVE-2026-6332 arises from the manner in which EcoStruxure Machine Expert HVAC stores project files on the engineering workstation. The software does not encrypt these files before writing them to disk. As a result, any user or process with read access to the file system can view the unencrypted source code. This includes temporary file directories, project folders, and backup locations.

The vulnerability carries a medium severity rating. While the CVSS vector has not been publicly detailed by Schneider Electric or CISA, cleartext storage weaknesses typically score in the 5.0 to 6.5 range. The exact score depends on factors like required privileges and attack complexity. In this case, an attacker would need local access or a mechanism to exfiltrate the files, such as through malware or remote access tools. However, engineering workstations are often targeted in multi-stage attacks against industrial environments. Gaining visibility into controller logic could allow an adversary to map processes, identify high-value assets, and design more sophisticated attack sequences.

The vulnerability impacts all versions of EcoStruxure Machine Expert HVAC prior to 1.10.0. Schneider Electric confirmed that no other products in the EcoStruxure portfolio are affected by this specific issue.

The Fix in Version 1.10.0

On May 12, 2026, Schneider Electric released EcoStruxure Machine Expert HVAC version 1.10.0, which resolves CVE-2026-6332. The update implements encryption for project files at rest, ensuring that source code is stored in an unreadable format. The company did not disclose the encryption algorithm or key management details, but advised immediate installation.

Users can obtain the update through Schneider Electric’s software update channel, the EcoStruxure Portal, or by contacting their local support representative. The update process is straightforward: download the latest installer, run it, and follow the prompts. Existing projects will be converted to the new encrypted format upon opening and saving in version 1.10.0. Backwards compatibility is preserved for compiled controller binaries.

CISA republished the advisory on its ICS advisory page (ICSA-26-132-01) shortly after the vendor’s initial disclosure. The alert emphasizes that the vulnerability affects critical infrastructure sectors, including commercial facilities and government buildings, where HVAC systems are integral to safety and comfort. CISA recommends all users apply the patch within 30 days or implement compensatory controls.

Why Cleartext Storage Matters in OT

Cleartext storage of sensitive data has been a recurring problem in operational technology (OT) environments. Engineering software often assumes that physical security and air-gapped networks provide sufficient protection, but modern attack campaigns have repeatedly demonstrated the opposite. Malware like TRITON, Havex, and PIPEDREAM have specifically harvested engineering project files to gather intelligence and craft tailor-made attacks.

When an attacker gains access to unencrypted source code, they can reverse-engineer the control logic, identify safety interlocks, and plant malicious modifications. In HVAC systems, this could lead to temperature manipulation, equipment damage, or even a denial of service during extreme weather. Though building automation systems are sometimes considered lower risk than process control systems, they are increasingly connected to enterprise networks and the internet, expanding the attack surface.

The 2025 Dragos Year in Review reported a 40% increase in ransomware incidents impacting building management systems. Many of these attacks begin with credential theft or exploited vulnerabilities in engineering workstations. Cleartext project files become a low-effort prize once an attacker establishes initial access.

Similar Industrial Software Vulnerabilities

CVE-2026-6332 is not an isolated case. The industrial automation industry has seen numerous incidents where engineering tools stored sensitive information in plaintext:

  • CVE-2023-4220 (Siemens TIA Portal): Project passwords were stored in an unencrypted file, allowing authentication bypass. Siemens released patches in August 2023.
  • CVE-2021-27403 (Weidmueller Industrial WLAN devices): Private keys and configuration files were saved without encryption, enabling device impersonation.
  • CVE-2022-45789 (Rockwell Automation Studio 5000): Project files on the engineering workstation could be accessed without authentication, potentially leaking ladder logic.

Each of these issues underscores a broader industry challenge: software design often prioritizes usability over secure-by-default principles. Vendors are gradually adopting measures like full-disk encryption, secure enclaves, and application-level encryption, but legacy practices persist.

Mitigations for Users Who Cannot Immediately Update

If immediate patching is not possible, Schneider Electric and CISA recommend several temporary mitigations:

  • Restrict access to engineering workstations to only authorized and trained personnel. Use strong domain accounts with multi-factor authentication and minimize local user accounts.
  • Disable insecure file sharing protocols like SMBv1 and NetBIOS on engineering workstations to reduce the chance of remote file theft.
  • Use Windows BitLocker or third-party full-disk encryption to protect data at rest on the workstation’s hard drive. While this does not prevent local access, it adds a layer of protection against physical theft.
  • Isolate engineering networks from the corporate LAN and the internet using firewalls and demilitarized zones (DMZs). Only allow specifically required outbound connections.
  • Monitor for suspicious file access patterns using endpoint detection and response (EDR) tools. Look for processes that read large numbers of *.hvacproject or related file extensions.
  • Regularly back up project files to a secure, off-system location that is also encrypted.

These measures cannot fully eliminate risk but can reduce the likelihood of exploitation while planning the upgrade.

The Bigger Picture: Securing Engineering Workstations

CVE-2026-6332 serves as a reminder that security in industrial environments must extend beyond the plant floor to the engineering tools that design and maintain it. Engineering workstations are high-value targets because they contain the intellectual blueprint of a facility’s operations. A holistic defense strategy should include:

  • Vendor awareness: Equipment manufacturers should adopt secure development lifecycles that mandate encryption at rest and in transit for all sensitive data.
  • Asset management: Organizations must maintain a complete inventory of all engineering software, including versions, to quickly identify vulnerable installations when advisories are issued.
  • Continuous education: Engineers and technicians should receive training on secure coding practices for OT environments, including proper file handling and storage.
  • Network segmentation: Following Purdue model principles, Level 3 (site operations) and Level 4 (enterprise) networks must be tightly controlled to limit lateral movement.

Schneider Electric has made no public statement regarding any active exploitation of CVE-2026-6332. However, the release of a dedicated patch and the CISA advisory suggest the vendor takes the issue seriously. Users are encouraged to sign up for Schneider’s cybersecurity notifications to receive direct alerts for future vulnerabilities.

How to Update EcoStruxure Machine Expert HVAC

The update process is straightforward:

  1. Navigate to the Schneider Electric EcoStruxure Download Center. Log in with your registered account.
  2. Search for “Machine Expert HVAC” and locate version 1.10.0 or later.
  3. Download the installer and verify its digital signature (right-click, Properties, Digital Signatures) to ensure authenticity.
  4. Close all running instances of the software and run the installer as administrator.
  5. Follow the on-screen prompts. The installer will automatically migrate settings and detect existing projects.
  6. After installation, open each affected project and save it to apply the new encryption layer.
  7. Recompile and redeploy controller applications as needed to ensure consistency.

A reboot of the engineering workstation is not typically required, though it is good practice to restart after any software update. Organizations with multiple workstations should deploy the patch centrally using software management tools like SCCM or third-party deployment solutions.

What This Means for Windows Users

Because EcoStruxure Machine Expert HVAC is exclusively a Windows application, this vulnerability directly impacts Windows workstations in facilities worldwide. Windows security features such as controlled folder access, BitLocker encryption, and Windows Defender Credential Guard can help contain the risk, but they do not address the root cause — the application’s cleartext storage design. Applying the patch remains the only comprehensive fix.

Windows system administrators should audit all engineering workstations for the presence of EcoStruxure Machine Expert HVAC and other industrial software. A simple script can query the registry or file system for known installation paths. For example:

$path = \"C:\\Program Files\\Schneider Electric\\EcoStruxure Machine Expert HVAC\"
if (Test-Path $path) { Write-Host \"Installation found. Check version.\" }

Once identified, the version can be verified by launching the program and selecting Help > About. Any version below 1.10.0 must be updated.

Conclusion

CVE-2026-6332 is a textbook example of an information exposure vulnerability that could give attackers a detailed blueprint of critical building controls. Schneider Electric’s prompt release of version 1.10.0 provides a clear remedy. Organizations responsible for HVAC systems should treat this patch with the same urgency as they would for any industrial control system security update. The coming weeks are likely to see increased scanning for this vulnerability by both security researchers and malicious actors; patching now is the most effective defense.