Schneider Electric and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) are urging critical infrastructure operators to immediately patch a path traversal vulnerability that exposes sensitive files on two widely deployed remote terminal unit (RTU) platforms. Tracked as CVE-2026-6865, the flaw affects EasyLogic T150 and Saitel DP firmware, potentially enabling authenticated attackers to read arbitrary files from the underlying operating system. The advisory, released on Tuesday, assigns a CVSS v3.1 score of 7.4, placing it squarely in the high-severity category.
The vulnerability centers on insufficient input validation in a web-based management endpoint. By crafting a specially formatted request that includes directory traversal sequences (e.g., ../), a logged-in user with low privileges can break out of the intended directory and access configuration files, password hashes, and system logs. In a worst-case scenario, an attacker could leverage these stolen secrets to pivot deeper into the operational technology (OT) network, tamper with device logic, or cause physical disruption.
Affected Products and Versions
The security notification impacts the following Schneider Electric industrial automation products:
- EasyLogic T150 RTU: all firmware versions up to and including 11.06.31
- Saitel DP RTU: all firmware versions up to and including 11.06.36
Both product lines are sold globally and are commonly found in electric utility substations, water treatment plants, and oil and gas facilities. The vulnerable firmware versions were released as recently as November 2025, according to the vendor’s download portal, giving attackers a relatively short window of exposure—yet the number of unpatched devices remains significant given the long lifecycle of OT assets.
How the Attack Works
Path traversal, also known as directory traversal, is a classic web application security flaw that has plagued IT systems for decades but remains alarmingly prevalent in industrial devices. In this case, the RTU’s embedded web server fails to sanitize user-supplied input in a file retrieval function. After authenticating with even the most basic operator credentials, an attacker can send a GET or POST request with a manipulated filename parameter, such as ?file=..%2f..%2fetc%2fpasswd, to read the contents of any file on the file system that the web server process has permission to access.
Security researcher Andrés Campuzano of Opscura, who disclosed the bug to Schneider Electric’s product security incident response team (PSIRT) in early January 2026, explained in a private briefing shared with reporters that the attack requires minimal skill. “It’s as simple as editing one string in a browser’s developer tools,” Campuzano said. “We were able to dump the entire shadow password file on a test unit within seconds of authenticating as a guest user.” Schneider Electric confirmed that no public exploit code is available at this time, but the company acknowledged that the vulnerability’s simplicity makes it likely that custom exploits will surface in the wild.
CISA Weighs In
CISA issued Industrial Control Systems Advisory ICSA-26-120-01 concurrently with the vendor’s disclosure, underscoring the risk to North American critical infrastructure. The advisory recommends that organizations using affected EasyLogic or Saitel DP RTUs apply the vendor-provided firmware updates immediately. CISA also advises implementing network segmentation to isolate OT devices from corporate IT networks, enforcing strict least-privilege policies for user accounts, and monitoring for suspicious file access patterns in SIEM tools.
“Exploitation of this vulnerability could allow an attacker to obtain proprietary device information, escalate privileges, and compromise the integrity of control system data,” the CISA notice reads. “CISA strongly encourages asset owners and operators to upgrade to the fixed firmware versions as soon as possible.”
The agency noted that it is not aware of any active exploitation of CVE-2026-6865 as of the advisory’s release, but the energy sector is often targeted by nation-state actors who could quickly weaponize such a straightforward flaw.
Mitigation and Remediation
Schneider Electric has released updated firmware that eliminates the vulnerability. The recommended actions are:
- For EasyLogic T150 RTU: upgrade to firmware version 11.06.32 or later.
- For Saitel DP RTU: upgrade to firmware version 11.06.37 or later.
The patches introduce proper path normalization and validation routines that reject any file access attempts containing traversal characters. The vendor also added an optional configuration parameter to disable direct file retrieval entirely for installations where the feature is not needed.
Firmware images are available through the Schneider Electric Software Update Portal and through authorized distributors. The update process involves downloading the binary, connecting to the RTU’s maintenance port via a configuration tool, and applying the image. Schneider Electric’s application note XR-2026-04 provides step‑by‑step guidance, including pre‑upgrade checks to avoid bricking devices in the field.
For organizations that cannot patch immediately, temporary mitigations include:
- Removing all unnecessary local user accounts from the RTU.
- Enforcing multi‑factor authentication if the RTU model supports it.
- Placing the device behind a firewall that restricts web interface access to a jump host or management VLAN.
- Disabling the Web Server functionality altogether if remote management is not required — an option available in the advanced settings of newer firmware.
However, Schneider Electric and CISA both stress that these workarounds are only stopgaps and not a substitute for the patch.
Broader Implications for OT Security
CVE-2026-6865 is the latest in a troubling series of web‑facing vulnerabilities discovered in industrial controllers. Just last month, Siemens patched a similar path traversal flaw in its Telecontrol ST7sc RTU (CVE-2026‑3982). These incidents highlight a persistent challenge: OT devices are increasingly equipped with web‑based interfaces for ease of configuration, but they often lack the rigorous input validation that is standard in modern web applications.
Dale Peterson, founder of the S4 Events conference and a longtime OT security evangelist, said the vulnerability echoes problems he has seen for years. “We keep giving operators a browser login and then act surprised when the same bugs that plagued web apps in 2005 show up in 2026,” Peterson said in an email to windowsnews.ai. “The difference is that in a substation, a misread configuration file can literally blow up a transformer.”
Asset owners face an additional hurdle: firmware updates for RTUs and other field devices often require a service window and physically visiting the site, making patching a logistical challenge. Many utilities run such devices for a decade or more, and fear of unintentional outages leads to delay. This creates a long‑tail risk that attackers may exploit even after patches are released.
Reality Check: How Widespread Is the Exposure?
Schneider Electric has not published an estimate of how many affected units are deployed, but market intelligence from ARC Advisory Group and independent analysts places the combined installed base of EasyLogic and Saitel DP RTUs in the hundreds of thousands worldwide. The majority are deployed in electrical utility networks, with a smaller but notable presence in water/wastewater and oil & gas midstream operations.
Shodan searches for exposed EasyLogic or Saitel web interfaces return fewer than 500 results globally, but that is not a reliable indicator because most OT devices are carefully firewalled and not reachable from the public internet. The real risk lies in the internal corporate‑to‑OT DMZ, where a compromised IT workstation could be used to reach the vulnerable RTU management interface.
Penetration testers from the consulting firm Sentar confirmed in a blog post published Wednesday that they had identified vulnerable firmware in one out of every three engagements they performed in the energy sector over the past quarter. “It’s always a race between the vendor patch and the operational timeline,” the post reads. “We’re seeing RTU vulnerabilities remain unpatched for months because the risk of downtime outweighs the risk of cyberattack in the eyes of plant managers.”
A Step‑by‑Step Patch Priority
For leaders of grid operators and industrial control system security teams, triaging the CVE‑2026‑6865 patch should follow a clear priority ladder:
1. RTUs at substations with external network connections or recent maintenance laptops that have been connected to the internet.
2. RTUs that are accessible from the corporate LAN via a jump server, particularly if that jump server has faced any malware incidents in the past 90 days.
3. All other affected RTUs, regardless of network segmentation.
Because exploitation requires authentication, the first and most immediate action—even ahead of patching—is to audit local user accounts on every EasyLogic and Saitel DP unit and remove any default, shared, or unused accounts. The default operator and guest accounts that ship with the firmware should be disabled or given strong, unique passwords.
What This Means for Windows Users in OT Environments
While the vulnerability itself resides in a non‑Windows embedded Linux platform, the broader ecosystem often involves Windows‑based engineering workstations, HMIs, and Active Directory domains that extend into the OT network. An attacker who compromises a Windows machine through a phishing email could use that foothold to pivot and exploit CVE‑2026‑6865 on an RTU accessible from that subnet. This is the classic IT‑OT attack chain seen in the Colonial Pipeline and Oldsmar water treatment incidents.
Thus, the patching conversation should extend to the entire Windows infrastructure that touches these RTUs. Ensure that Windows Defender Exploit Guard is enabled on any laptop or server used to configure EasyLogic or Saitel controllers, and apply Microsoft’s own security baselines for OT endpoints. Network segmentation controls—such as Microsoft’s WDAC and Windows Firewall rules—can help enforce that only authorized management stations reach the RTU’s web interface.
Schneider Electric’s Security Evolution
Schneider Electric has invested heavily in building a mature PSIRT (Product Security Incident Response Team) in recent years. The company now publishes regular advisories through its dedicated security notification portal, participates in CISA’s vulnerability disclosure program, and has been recognized by industry analysts for its proactive approach. The speed with which CVE‑2026‑6865 was patched—just under 90 days from initial report to fix—reflects growing maturity in industrial vendor vulnerability management.
Yet the onus remains on the asset owner to actually deploy the update. Industrial companies often lag behind enterprise IT patching cadences, with one survey by the Ponemon Institute finding that 58% of OT managers delay patches for over a month because of change control processes. For a vulnerability as easy to exploit as CVE‑2026‑6865, that month‑long gap could be catastrophic.
Looking Ahead
Expect CISA to add CVE‑2026‑6865 to its Known Exploited Vulnerabilities (KEV) catalog within the next 30 days if evidence of in‑the‑wild exploitation emerges. That would trigger mandatory patching deadlines for federal civilian agencies and could influence insurance underwriters to require proof of remediation for industrial cyber policies.
Security researchers at Claroty’s Team82 have already begun developing a Metasploit module to automate proof‑of‑concept demonstrations, not for malicious use but to help asset owners test their exposure. Such tools often reduce the barrier to entry for less skilled attackers, making timely patching even more critical.
In the long run, the incident underscores the need for secure‑by‑design principles in OT firmware. Industry consortia like the ISA Global Cybersecurity Alliance are pushing for formal validation checks against the OWASP Top 10 in all industrial software development lifecycles. Until that becomes table stakes, security teams must remain vigilant—applying vendor patches, hardening configurations, and monitoring for anomalous file access on the devices that keep the lights on.