Full Report
[Control systems] Schneider Electric security advisory (AV26-449)
Analysis Summary
# Vulnerability: Multiple Flaws in Schneider Electric Industrial Control Products (AV26-449)
## CVE Details
*Note: While the specific CVE numbers for the 2026-132 series remain reserved/pending in the source article, the following weaknesses are identified:*
- **CVE-2026-TBD1**: Clear Text Storage of Sensitive Information (CWE-312)
- **CVE-2026-TBD2**: Insufficient Entropy (CWE-331)
- **CVE-2026-TBD3**: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) (CWE-22)
- **CVE-2026-TBD4**: Initialization of a Resource with an Insecure Default (CWE-1188)
- **CVSS Score**: Not explicitly provided in the summary, but typically ranges from **7.5 (High)** to **9.8 (Critical)** for these classes of industrial vulnerabilities.
## Affected Systems
- **EcoStruxure Machine Expert HVAC**: Versions prior to 1.10.0
- **Easergy MiCOM Series**:
- C264 (vD6.x, vD7.33 and prior)
- P30 & P40 (Multiple versions/models)
- Px40 Series (Multiple versions/models)
- **Easergy C5**: Versions 1.1.17 and prior
- **EcoStruxure Power Automation System**: Multiple versions/models
- **PowerLogic Products**: Multiple versions/models
- **RTU & Controllers**:
- Saitel DP (v11.06.36 and prior)
- EasyLogic T150 / Saitel DR (v11.06.30/31 and prior)
- **EcoStruxure Panel Server (PAS400, PAS600, PAS600V2, PAS800, PAS800V2)**: Versions 002.005.000 and prior
- **iPMFLS**: Version 64.2025.0.13 and prior
## Vulnerability Description
This advisory covers four primary technical flaws across the Schneider Electric ecosystem:
1. **Clear Text Storage**: Sensitive data (such as credentials or configurations) is stored without encryption in Machine Expert HVAC, allowing an attacker with file system access to compromise the system.
2. **Insufficient Entropy**: Weaknesses in random number generation affecting multiple products can lead to predictable cryptographic keys, facilitating session hijacking or decryption of traffic.
3. **Path Traversal**: Improper limitation of pathnames allows attackers to access files outside of intended directories, potentially leading to unauthorized information disclosure or remote code execution.
4. **Insecure Default Initialization**: EcoStruxure Panel Servers are deployed with insecure default settings that may leave management interfaces or communication ports exposed to unauthorized access.
## Exploitation
- **Status**: Not currently reported as exploited in the wild; no public PoC available in the provided advisory.
- **Complexity**: Low to Medium (depending on the specific product and network positioning).
- **Attack Vector**: Primarily Network / Adjacent.
## Impact
- **Confidentiality**: High (due to clear text storage and path traversal).
- **Integrity**: High (potential to modify configuration via insecure defaults).
- **Availability**: High (potential to disrupt controller operations).
## Remediation
### Patches
Schneider Electric recommends upgrading to the following versions:
- **EcoStruxure Machine Expert HVAC**: Upgrade to v1.10.0 or later.
- **Easergy MiCOM/Saitel/Panel Server**: Refer to the specific SEVD advisory links for your exact hardware model to obtain the latest firmware.
### Workarounds
- Disable unused ports and services on Panel Servers.
- Implement strict network segmentation (ISA/IEC 62443 architecture) to isolate control systems from the corporate network.
- Change all default passwords and security certificates upon commissioning.
## Detection
- **Indicators of Compromise**: Unexpected file access logs (Path Traversal), unauthorized logins using default credentials, or unusual encrypted traffic patterns (Entropy issues).
- **Methods**: Use Industrial Intrusion Detection Systems (IIDS) to monitor for directory traversal strings (e.g., `../`) in web management traffic.
## References
- Schneider Electric Security Notifications: hxxps[://]www[.]se[.]com/ww/en/work/support/cybersecurity/security-notifications[.]jsp
- SEVD-2026-132-01 (Machine Expert HVAC): hxxps[://]download[.]schneider-electric[.]com/files?p_Doc_Ref=SEVD-2026-132-01
- SEVD-2026-132-02 (Insufficient Entropy): hxxps[://]download[.]schneider-electric[.]com/files?p_Doc_Ref=SEVD-2026-132-02
- SEVD-2026-132-03 (Path Traversal): hxxps[://]download[.]schneider-electric[.]com/files?p_Doc_Ref=SEVD-2026-132-03
- SEVD-2026-132-04 (Insecure Defaults): hxxps[://]download[.]schneider-electric[.]com/files?p_Doc_Ref=SEVD-2026-132-04