Schneider Electric EcoStruxure Building Operation Workstation and WebStation Improper Control of Code Generation Vulnerability

A vulnerability allowing the execution of untrusted or unintended code has been identified in Schneider Electric's EcoStruxure Building Operation Workstation and WebStation. This issue arises from improper control in the generation of code, specifically when maliciously crafted design content is processed through a TGML graphics file. The vulnerability affects all 7.0.x versions prior to 7.0.2, as well as all 6.0.x versions prior to 6.0.4.7000 (CP5) and all 6.x versions prior to 6.0.4.14001 (CP10).

Impact

Exploitation of this vulnerability could lead to the execution of untrusted or unintended code within the application.

Remediation

Users can upgrade to EcoStruxure Building Operation versions 7.0.2 or 6.0.4.7000 (CP5) or 6.0.4.14001 (CP10). Instructions for downloading the patch are available on the Schneider Electric MySchneider Documents Download Center.