Executive Summary

CVE-2026-8045 is an XML External Entity (XXE) flaw in Data Center Expert SOAP service endpoints that allows an authenticated attacker to read arbitrary server-side files by submitting crafted XML payloads. The physical criticality is indirect but real: Data Center Expert sits at the monitoring and management layer for power, cooling, and environmental infrastructure, and disclosed credentials or configuration files extend the blast radius into the systems that keep facilities running.

Technical Exposure Breakdown

The vulnerable component is the SOAP service interface of Data Center Expert (DCE), a data center infrastructure management (DCIM) platform that aggregates telemetry from UPS units, power distribution, cooling controllers, and rack-level sensors. The defect maps to CWE-611, Improper Restriction of XML External Entity Reference. The SOAP parser processes inbound XML without disabling external entity resolution, which means a request body can declare a DOCTYPE with an external entity pointing at a local file path. When the parser dereferences that entity, the file contents are reflected back into the response or otherwise made available to the requester.

The attack vector requires a valid DCE user account, so this is not an unauthenticated remote read. That precondition narrows the field, but it does not eliminate the threat. In OT environments, DCE accounts are frequently shared across operations teams, provisioned with weak or default credentials, or reachable from a flat management VLAN that also touches contractor laptops and jump hosts. An attacker who phishes one operator credential, or who pivots from a compromised IT segment into the DCIM network, gains the ability to extract server-side files. Typical XXE targets include configuration files holding database connection strings, integration credentials for connected building management systems, and certificate material.

No CVSS score is published in the source record and this CVE is not in the known exploited vulnerability catalog. Absence from the KEV program is not evidence of low risk. XXE is a well understood class with mature tooling, and the path from authenticated read primitive to credential theft to lateral movement is short and well documented.

OT Impact and Compliance Risk

Data Center Expert does not actuate breakers or open valves directly, so this flaw will not by itself trip a load. The damage is informational and it compounds. Server-side files extracted through this XXE commonly contain the credentials DCE uses to poll downstream devices over SNMP, Modbus, or vendor protocols. Those credentials then enable access to the power and cooling controllers that do have physical effect. The disclosure layer becomes the staging ground for the actuation layer.

For compliance, an exposed DCE host in a facility under NERC CIP scope can implicate CIP-007 system security management and CIP-005 electronic security perimeter requirements, since the disclosed material may undermine the access controls auditors expect. Under IEC 62443, this is a failure of the system hardening and least-privilege expectations in the 62443-3-3 system requirements, specifically around input validation and information confidentiality. Water utilities operating DCE-class monitoring under AWIA 2018 risk assessment obligations should treat disclosed integration credentials as a reportable change to their risk posture.

Compensating Controls

Do not assume the vendor patch alone closes your exposure, and do not run active vulnerability scans against the DCE host or its monitored devices without a maintenance window. Aggressive SOAP probing and malformed XML fuzzing can hang industrial polling services and, in some controller families, brick the device. Use passive identification first.

Track CVE-2026-8045 exposure across your DCIM footprint with continuous monitoring from BreachSpider, which correlates vulnerable Data Center Expert deployments against active threat signals.