CVE-2026-2273

CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exist that could cause execution of untrusted commands on the engineering workstation which could result in a limited compromise of the workstation and a potential loss of Confidentiality, Integrity and Availability of the subsequent system when an authenticated user opens a malicious project file.

CVSS

No CVSS.

References

Link	Resource
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-04.pdf

Configurations

No configuration.

History

17 Jun 2026, 10:30

Type	Values Removed	Values Added
Summary		(es) CWE-94: Existe una vulnerabilidad de Control inadecuado de la generación de código ('Inyección de código') que podría causar la ejecución de comandos no confiables en la estación de trabajo de ingeniería, lo que podría resultar en un compromiso limitado de la estación de trabajo y una posible pérdida de Confidencialidad, Integridad y Disponibilidad del sistema subsiguiente cuando un usuario autenticado abre un archivo de proyecto malicioso.

10 Mar 2026, 18:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 18:18

Updated : 2026-06-17 10:30

NVD link : CVE-2026-2273

Mitre link : CVE-2026-2273

CVE.ORG link : CVE-2026-2273

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2026-2273", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-2273", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T17:42:09.226674Z"}}], "cvssMetricV40": [{"type": "Secondary", "source": "cybersecurity@se.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.2, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "cybersecurity@se.com", "affectedData": [{"vendor": "Schneider Electric", "product": "EcoStruxure\u2122 Automation Expert", "versions": [{"status": "affected", "version": "Versions prior to v25.0.1"}], "defaultStatus": "unaffected"}]}], "published": "2026-03-10T18:18:48.007", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-069-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-069-04.pdf", "source": "cybersecurity@se.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "cybersecurity@se.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exist that could cause execution of untrusted commands on the engineering workstation which could result in a limited compromise of the workstation and a potential loss of Confidentiality, Integrity and Availability of the subsequent system when an authenticated user opens a malicious project file."}, {"lang": "es", "value": "CWE-94: Existe una vulnerabilidad de Control inadecuado de la generaci\u00f3n de c\u00f3digo ('Inyecci\u00f3n de c\u00f3digo') que podr\u00eda causar la ejecuci\u00f3n de comandos no confiables en la estaci\u00f3n de trabajo de ingenier\u00eda, lo que podr\u00eda resultar en un compromiso limitado de la estaci\u00f3n de trabajo y una posible p\u00e9rdida de Confidencialidad, Integridad y Disponibilidad del sistema subsiguiente cuando un usuario autenticado abre un archivo de proyecto malicioso."}], "lastModified": "2026-06-17T10:30:41.673", "sourceIdentifier": "cybersecurity@se.com"}