Schneider Electric: community verdicts

5 notable / known-exploited Schneider Electric CVEs the community has triaged.

ⓘ Not an exhaustive list: we focus on the findings that matter (exploited / notable). For every Schneider Electric CVE, see NVD ↗.

CVE-2018-7841CRIT 9.8KEVEPSS 72%
A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.
CVE-2025-13901MED 5.3EPSS 0%
CWE-404 Improper Resource Shutdown or Release vulnerability exists that could cause partial Denial of Service on Machine Expert protocol when an unauthenticated attacker sends malicious payload to occupy active communication channels.
CVE-2026-8045MED 6.5EPSS 0%
CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure of server-side file contents when an attacker with a Data Center Expert user account submits crafted XML payloads to SOAP service endpoints.
CVE-2025-13902MED 5.4EPSS 0%
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload.
CVE-2026-2273HIGH 8.2Real · low riskEPSS 0%
CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exist that could cause execution of untrusted commands on the engineering workstation which could result in a limited compromise of the workstation and a potential loss of Confidentiality, Integrity and Availability of the subsequent system when an authenticated user opens a malicious project file.