Back to Intelligence

Schneider Electric EcoStruxure Automation Expert RCE: Detection and Hardening Guide

SA
Security Arsenal Team
April 11, 2026
5 min read

Schneider Electric EcoStruxure Automation Expert versions prior to 25.0.1 contain a critical vulnerability (CVSS v3 8.2) permitting arbitrary command execution. This post provides detection logic and hardening steps for defenders.

Introduction

Security Arsenal is tracking a high-severity vulnerability in Schneider Electric's EcoStruxure Automation Expert, a pivotal "totally integrated automation solution" used in discrete, hybrid, and continuous industrial processes. The advisory (ICSA-26-078-03) warns that failure to apply the remediation risks the execution of arbitrary commands on the engineering workstation.

In an OT environment, the engineering workstation is the "crown jewel." Compromise here typically allows an attacker to manipulate control logic, alter safety parameters, or deploy malware to downstream controllers. With a CVSS score of 8.2, this is not a theoretical risk; it is a critical gap that demands immediate defensive action.

Technical Analysis

  • Affected Product: EcoStruxure Automation Expert (formerly known as Unity Pro / EcoStruxure Machine Expert).
  • Affected Versions: Versions prior to 25.0.1 (including vers:intdot/<25.0.1).
  • Vulnerability Type: Remote Code Execution (RCE) / Arbitrary Command Execution.
  • Attack Vector: The vulnerability allows an attacker to execute arbitrary commands on the engineering workstation. While specific technical details (CWE) are pending full disclosure, the impact is clear: attackers can leverage the automation software's privileges to run system commands.
  • Impact: Full system compromise of the engineering workstation and potential lateral movement to the industrial control network.

Detection & Response

Detecting the exploitation of this vulnerability requires monitoring for abnormal process execution patterns spawned by the EcoStruxure software. Since the vulnerability allows arbitrary command execution, we must hunt for the automation process spawning standard shells (cmd.exe, powershell.exe) or making unauthorized network connections.

SIGMA Rules

YAML
---
title: Schneider Electric EcoStruxure Automation Expert Spawning Shell
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects potential exploitation of EcoStruxure Automation Expert RCE via suspicious child processes (cmd, powershell).
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-03
author: Security Arsenal
date: 2026/02/24
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains:
      - 'EcoStruxure'
      - 'Automation Expert'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative scripts launched by engineers (rare)
level: high
---
title: Schneider Electric EcoStruxure Unusual Network Connection
id: 9b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects unusual outbound network connections initiated by EcoStruxure Automation Expert binaries.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-03
author: Security Arsenal
date: 2026/02/24
tags:
  - attack.exfiltration
  - attack.c2
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|contains:
      - 'EcoStruxure'
      - 'Automation Expert'
    Initiated: 'true'
    DestinationPort|not:
      - 80
      - 443
      - 8080
  filter_legit_licensing:
    DestinationHostname|contains:
      - 'schneider-electric.com'
  condition: selection and not filter_legit_licensing
falsepositives:
  - Legitimate communication with authorized PLCs or engineering servers
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious process creation by Schneider Electric software
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName contains "EcoStruxure" or InitiatingProcessFolderPath contains "Schneider Electric"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, SHA256
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious child processes of EcoStruxure Automation Expert
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, Parent.Pid AS ParentPid, Parent.Name AS ParentName, Parent.CommandLine AS ParentCmd
FROM pslist()
WHERE Parent.Name =~ "EcoStruxure"
  AND Name =~ "cmd|powershell|pwsh"

Remediation Script (PowerShell)

This script checks the file version of the primary EcoStruxure executable to determine if the installation is vulnerable.

PowerShell
# Check Schneider Electric EcoStruxure Automation Expert Version
# Define the vulnerable threshold (Target version is 25.0.1, versions older are vulnerable)
$TargetVersion = [version]"25.0.1.0"
$InstallPaths = @(
    "${env:ProgramFiles}\Schneider Electric\EcoStruxure Automation Expert\",
    "${env:ProgramFiles(x86)}\Schneider Electric\EcoStruxure Automation Expert\"
)

$VulnerableFound = $false

foreach ($Path in $InstallPaths) {
    if (Test-Path $Path) {
        # Common executable name for the main module, adjust if specific binary name differs
        $ExePath = Join-Path -Path $Path -ChildPath "bin"
        if (Test-Path $ExePath) {
            Get-ChildItem -Path $ExePath -Filter "*.exe" | ForEach-Object {
                try {
                    $VersionInfo = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($_.FullName)
                    if ($VersionInfo.FileVersion) {
                        $FileVer = [version]$VersionInfo.FileVersion
                        Write-Host "Checking: $($_.Name) - Version: $FileVer"
                        if ($FileVer -lt $TargetVersion) {
                            Write-Host "[ALERT] Vulnerable version found at: $($_.FullName)" -ForegroundColor Red
                            $VulnerableFound = $true
                        }
                    }
                } catch {
                    # Ignore errors reading version info for non-app binaries
                }
            }
        }
    }
}

if (-not $VulnerableFound) {
    Write-Host "[INFO] No vulnerable instances detected in standard paths." -ForegroundColor Green
} else {
    Write-Host "[ACTION] Please apply the patch provided by Schneider Electric to update to version 25.0.1 or later."
}

Remediation

  1. Patch Immediately: Apply the remediation provided by Schneider Electric. Update EcoStruxure Automation Expert to version 25.0.1 or the latest available version.
  2. Vendor Advisory: Review the official Schneider Electric security notification and CISA advisory ICSA-26-078-03 for detailed patch instructions.
  3. Network Segmentation: Ensure engineering workstations are isolated from the internet and strictly segmented from the ICS/OT network via a DMZ or regulated firewall. This limits the blast radius if the workstation is compromised.
  4. Principle of Least Privilege: Ensure user accounts used to log into EcoStruxure do not have local administrator privileges on the workstation unless absolutely necessary.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub

alert-fatiguetriagealertmonitorsocschneider-electricecostruxureics-advisoryrce

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action