[Control systems] Schneider Electric security advisory (AV26-029)

Serial number: AV26-029
Date: January 14, 2026

On January 13, 2026, Schneider Electric published advisories to address vulnerabilities in the following products:

• EcoStruxure Power Build Rapsody software – multiple versions
• Wiser iTRV2 Version Wiser iTRV3, Wiser RTR2, Wiser UFH, Wiser 16A Electrical Heat Switch, Wiser Boiler Relay, Exxact cFMT 16a, Elko cFMT 16a, Odace cFMT 2a, Merten cFMT 16a, Merten cFMT 2a, Wiser Power Micromodule, Wiser FIP Micromodule, Iconic, Wiser Connected Smart Dimmer, Iconic, Wiser Connected Smart Switch, 2AX, Iconic, Wiser Connected Smart Switch, 10AX, Iconic, Connected AC Fan Controller Iconic, Connected Smart Socket, Wiser Connected Application Module 1-Gang, Wiser Connected Application Module 2-Gang, Wiser Connected Push Button Dimmer, Wiser Connected Push Button Switch, Wiser Connected Push Button Shutter, Wiser Connected Motion Dimmer, Wiser Connected Motion Switch, Wiser Connected Rotary Dimmer, Connected Wireless Switch, Micromodule Switch, Micromodule Dimmer, Micromodule Shutter, Connected Single Socket Outlet, Connected Double Socket Outlet, Fuga Connected Socket Outlet, Mureva EV Link – all versions
• EcoStruxure™ Process Expert – versions prior to 2025
• EcoStruxure™ Process Expert for AVEVA System Platform – all versions
• Plant iT/Brewmaxx – version v9.60 and later

The Cyber Centre encourages users and administrators to review the provided web links, perform the suggested mitigations and apply the necessary updates.

• Multiple Vulnerabilities on EcoStruxure Power Build Rapsody
• Multiple Third-Party Vulnerabilities on Zigbee Products
• Incorrect Default Permissions Vulnerability on EcoStruxure™ Process Expert
• Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx
• Schneider Electric Security Notifications