Schneider Electric has warned customers of a serious authenticated XML External Entity (XXE) injection vulnerability in its EcoStruxure IT Data Center Expert software, which if exploited could allow attackers with valid credentials to exfiltrate sensitive server-side files or even pivot further into a network. The flaw, assigned CVE-2026-8045, affects versions 9.1.1 and earlier and was disclosed by the company on June 9, 2026. A fix is now available in version 9.1.2, and administrators are urged to patch immediately.

What is EcoStruxure IT Data Center Expert?

EcoStruxure IT Data Center Expert is Schneider Electric’s flagship centralized monitoring and management platform for data center infrastructure. It provides a unified view of power, cooling, security, and asset tracking across distributed environments, enabling IT staff to maintain uptime and optimize energy usage. The software integrates with a wide range of Schneider and third-party devices, making it a critical component in modern data center operations.

Given its role, the platform often stores sensitive configuration data, network maps, and sometimes credentials for managed devices. A compromise of this system could therefore give an attacker a detailed blueprint of the entire data center, facilitating further attacks on critical infrastructure.

Understanding XML External Entity Attacks

XML External Entity (XXE) attacks exploit insecure parsing of XML inputs. When an XML parser processes a document that contains a reference to an external entity, the parser may fetch the referenced resource if external entity processing is enabled. Attackers can craft malicious XML payloads that trick the parser into accessing local files, internal network services, or even causing denial of service through recursive entity expansion (the “billion laughs” attack).

The OWASP Top 10 has long flagged XXE as a critical risk, and secure coding guidelines universally recommend disabling external entity resolution unless absolutely necessary. Vulnerabilities persist, however, often due to default configurations in XML libraries or oversight during development.

CVE-2026-8045: How the Flaw Works

In the case of CVE-2026-8045, EcoStruxure IT Data Center Expert fails to disable external entity processing in its XML parsing routines. An attacker who has already authenticated to the application – even with low-privilege credentials – can supply a specially crafted XML input that references external entities. This could be done, for example, through an API endpoint or a file upload feature that processes XML.

Once executed, the parser could be forced to read arbitrary files from the server’s filesystem, such as configuration files, password hashes, or private keys. Additionally, the vulnerability could be used for server-side request forgery (SSRF), allowing the attacker to probe internal network services that are otherwise inaccessible from outside.

Schneider Electric has confirmed that the vulnerability is not remotely exploitable without authentication, somewhat limiting the immediate attack surface. However, given the sensitivity of the data handled by the platform, even an authenticated exploit could lead to significant security breaches or lateral movement within the network.

Impact and Risk

The impact of a successful XXE attack on a data center management system is potentially severe. Exposed files could contain credentials for managed devices, enabling an attacker to take control of power distribution units, cooling systems, or network switches. In a worst-case scenario, this could lead to physical damage, service outages, or the compromise of entire data center operations.

Schneider Electric has not publicly released a CVSS score for CVE-2026-8045, but based on the nature of the vulnerability and the privileged context of the software, security analysts estimate a high-severity rating. XXE vulnerabilities typically score between 6.5 and 8.6 on the CVSS v3 scale, depending on required privileges and data sensitivity. Given the authenticated requirement, the score is likely toward the lower end of that range, but the potential business impact remains critical.

Administrators should consider the risk not in isolation but as part of a broader attack chain. An authenticated XXE could be used as a stepping stone to gain administrative control over the EcoStruxure IT platform itself, after which an attacker could reconfigure the entire monitoring infrastructure or erase logs to hide malicious activity.

Remediation and Patch

Schneider Electric has fixed the vulnerability in EcoStruxure IT Data Center Expert version 9.1.2. The patch properly disables external entity processing in the XML parser, blocking the attack vector. The company has published a security notification (SEVD-2026-xxx) with detailed upgrade instructions and strongly recommends immediate application of the update.

For organizations that cannot immediately patch, the following temporary mitigations are effective but are not substitutes for the fix:

  • Restrict network access to the EcoStruxure IT Data Center Expert application, allowing only trusted IP ranges.
  • Enforce strict authentication policies, including multi-factor authentication, to limit the pool of potential attackers.
  • Monitor application logs for unusual XML parsing activity or attempts to access unexpected files.
  • If feasible, deploy a web application firewall (WAF) with rules that block XML external entity attacks.

Schneider also notes that the vulnerability was discovered internally and that there is no evidence of active exploitation in the wild. Nevertheless, the public disclosure typically triggers increased scanning by threat actors, so time is of the essence.

The Bigger Picture: XXE in Enterprise Software

CVE-2026-8045 is a reminder that even mature enterprise products can harbor decade-old vulnerability classes. XXE has been well-documented since the early 2000s, yet it continues to appear in security advisories across industries. The root cause often lies in legacy code, reliance on default parser settings, or insufficient input validation.

Data center management tools are particularly attractive targets because they sit at the intersection of IT and operational technology (OT). A vulnerability in such a system can bridge air-gapped networks or bypass network segmentation. Schneider Electric has invested heavily in cybersecurity for its EcoStruxure platform, but this incident underscores the need for continuous security testing and rigorous code review.

Users are advised to incorporate the EcoStruxure IT Data Center Expert patch into their regular vulnerability management cycle and to verify that all instances of the software are accounted for. Large organizations may have multiple deployments across regional data centers, and a single unpatched instance could become an entry point.

Conclusion

The disclosure of CVE-2026-8045 is a timely reminder that even authenticated applications require strict input sanitization. Schneider Electric’s rapid response and clear advisory are commendable, but the ultimate responsibility rests with administrators to apply the patch. With data center downtime costs often exceeding $5,000 per minute, the risk of leaving an exploitable vulnerability in a critical management tool is simply too great to ignore.

IT teams should update to EcoStruxure IT Data Center Expert 9.1.2 without delay and review their XML parsing practices across other enterprise applications to prevent similar issues. The patch is available now via Schneider Electric’s software update channels.