A line can be running well all morning, then a change stalls, a dashboard looks wrong, or a support workstation starts acting strangely. Now maintenance is waiting, supervisors are asking for answers, and nobody wants to touch the system until they know what changed.
That is why these recent CISA advisories matter. CISA recently republished two Schneider Electric notices covering EcoStruxure Automation Expert and EcoStruxure Power software. One warning centers on a bad project file opened on an engineering workstation. The other involves unsafe handling of data that could let someone with local access run harmful code.
For plant leaders, this is not just a software story. These tools often sit close to engineering work, power monitoring, reporting, alarms, and restart decisions. The real question is simple: could either issue turn into downtime, troubleshooting delays, or one more surprise on the floor?
What is going wrong, and where these Schneider Electric advisories can disrupt work
The first notice, ICSA-26-078-03, covers Schneider Electric EcoStruxure Automation Expert. Versions before v25.0.1 are affected. In plain terms, if an authenticated user opens a malicious project file, harmful commands can run on the engineering workstation. CISA lists the issue as high severity, with a CVSS score of 8.2. For a plant, that means a trusted workstation can become the starting point for change delays, bad assumptions, and extra validation work.
The Automation Expert issue starts at the engineering workstation, but the pain can spread to the line
An engineering PC is rarely “just a PC.” It may hold project files, support troubleshooting, or help push changes during a schedule crunch. If that machine runs untrusted commands after someone opens a bad file, the damage may not stay local. Teams can lose confidence in settings, file history, or recent changes.
That usually shows up as slower changeovers, delayed fault response, and more manual checking before anyone restarts or adjusts a process.
The second notice, ICSA-26-078-04, covers EcoStruxure Power Monitoring Expert (PME) and EcoStruxure Power Operation (EPO). Affected PME versions include 2022 and earlier, 2023, 2023 R2, 2024, and 2024 R2. Affected EPO Advanced Reporting modules include 2022 and 2024. This issue involves unsafe data handling that can allow local code execution with admin-level impact. CISA scores it 7.8, also high. For broader context, CISA has published other Schneider industrial control advisories, which is a reminder that production-support software needs regular review.
The Power software issue is local, but local problems still create plant-wide delays
“Local” sounds limited, but plants know better. Shared workstations, vendor sessions, and busy support machines all count as real exposure paths. If a local user can trigger admin-level code execution, teams may lose trust in the very dashboards and reports they use during power events or alarms.
That can slow decisions, stretch diagnosis time, and make restarts more cautious than they need to be.
Why this happens in real plants, even when production is running fine
These advisories matter because production software often stays in place for good reasons. If a system works, nobody wants to stop a line just to update it. Testing takes time. Vendors need to be involved. Meanwhile, engineering laptops and support systems often pick up more jobs over the years than anyone first planned.
Production systems often stay unchanged because uptime comes first
That is not poor judgment. It is a normal plant decision. Production teams protect output first, because missed runs hurt fast. Still, stable systems can sit exposed longer than anyone thinks, especially when they support core engineering or power visibility.
Schneider notes these products are deployed across major sectors worldwide. That tells you this is not an edge case. These are common tools in serious operating environments. Readers who have followed earlier EcoStruxure Power notices have seen the same pattern before.
Trusted workflows, shared access, and file movement create hidden openings
Risk often enters through ordinary work. A shared project file gets opened. A USB drive moves between systems. A remote support session stays available longer than planned. An engineering machine touches more than one network because operations need fast answers.
Small openings do not stay small when they sit next to production support.
CISA and Schneider both push practical steps here. Keep these systems off the public internet. Put control networks behind firewalls. Separate business and plant traffic where it makes sense. Use secure remote access, such as updated VPN connections, and treat USB use carefully. The point is not rigid theory. The point is fewer shop-floor surprises.
What the business impact looks like when these warnings get ignored
A workstation issue can delay engineering work. A monitoring problem can slow diagnosis. Then a local compromise forces more checks, more rework, and more second-guessing during abnormal conditions.
Small software issues can turn into lost shifts and delayed orders
One compromised workstation can pause changes while teams verify settings or compare backups. One monitoring server issue can push staff into manual checks during a power event. As a result, outages last longer, recovery slows down, and promised ship dates get harder to hit.
In power-sensitive operations, delayed visibility also makes root-cause work harder. When the dashboard is in doubt, every decision takes longer.
The bigger cost is uncertainty on the floor
The hardest hit is often trust. If workstation behavior looks odd, or reports seem questionable, supervisors slow down and double-check everything. Operators hesitate. Maintenance spends more time proving what did not change.
That caution is understandable, but it reduces throughput before a full outage even happens.
A practical way to decide what action these two advisories deserve
Start by finding out whether these Schneider products are present, where they sit, and who depends on them. Some plants keep that in an asset platform such as OTBase or a maintenance system such as DreamzCMMS. The tool matters less than having a current list you can trust.
Start with visibility, so you know which systems can affect uptime
Know which sites run Automation Expert, PME, or EPO. Confirm versions. Identify which workstations open project files, and which systems support reporting, alarms, or engineering changes tied to live production.
That shortens diagnosis time and cuts guesswork when something feels off. Related Schneider platforms have also drawn attention, including recent EcoStruxure Process Expert guidance, so visibility helps beyond these two notices.
Make changes in a way that protects production, not just the software
For Automation Expert, Schneider lists v25.0.1 or newer as the fixed version. For PME and EPO, apply the product-specific updates Schneider provides. There is one important detail: some Power Operation environments rely on Power Monitoring Expert, and PME may need separate updating.
Use a staged response. Verify affected versions. Review exposure paths. Pick a production window that allows testing and rollback. Keep backup copies of programs and system settings. That approach supports uptime while still reducing risk.
What good looks like after the advisories are reviewed
Good looks simple from the floor. You know if the plant has the affected software. You know whether it touches production-critical work. You know who owns the review and who makes the final go or no-go call.
Leaders should be able to answer these shop-floor questions quickly
- Which plants or lines use these Schneider tools?
- Are any affected versions still in use?
- Which workstations open project files or support engineering changes?
- Could a local issue slow reporting, alarms, or restart decisions?
- If updates are needed, what production window allows safe testing?
- Who makes the final call on timing and risk?
These are not just technical notices. They are early warnings that production-support systems may need attention before a small issue becomes a lost shift. One advisory affects Automation Expert before v25.0.1 through a harmful project file path. The other affects PME and EPO through unsafe data handling that can allow local code execution. The practical takeaway is clear: know whether you have the affected software, decide whether it touches uptime, and act in a way that protects predictable production.
