Operators of energy grids, water utilities, and other critical infrastructure are urged to apply immediate firmware updates to Schneider Electric’s EasyLogic T150 and Saitel DP remote terminal units after the disclosure of a high-severity vulnerability that exposes login credentials in an insufficiently protected manner.

Tracked as CVE-2026-9650, the security flaw affects the firmware of these widely deployed industrial RTUs, devices that serve as the backbone of supervisory control and data acquisition (SCADA) systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert alongside Schneider Electric’s own advisory, underscoring the risk of credential theft by remote attackers with network access to the affected devices.

Vulnerability Details

CVE-2026-9650 stems from the improper protection of credentials stored on the EasyLogic T150 and Saitel DP RTUs. An attacker who can reach the device’s management interface—whether locally or over the network—could extract authentication data without needing prior authentication, potentially gaining full administrative control of the RTU.

Schneider Electric’s advisory confirms that the vulnerability can be exploited remotely and requires low attack complexity, though no proof-of-concept exploit code has been publicly released at the time of this writing. The Common Vulnerability Scoring System (CVSS) v3.1 base score has been calculated at 8.6, placing it firmly in the “high” severity category. This score reflects the relative ease of exploitation and the complete compromise of confidentiality, integrity, and availability that could follow.

Affected Products and Firmware Versions

The following Schneider Electric products are impacted:

  • EasyLogic T150 RTU: All firmware versions up to and including 11.06.30
  • Saitel DP RTU: All firmware versions up to and including 11.06.35

These RTUs are used in a range of critical infrastructure sectors, including electric utilities, water treatment plants, oil and gas pipelines, and transportation networks. The Saitel DP series, in particular, is a modular platform designed for harsh environments, often deployed in unmanned substations to manage protection, control, and automation functions.

Technical Breakdown: Insufficiently Protected Credentials

The root cause of CVE-2026-9650 lies in how the RTU firmware stores authentication data—such as passwords or cryptographic keys—in a location or format that lacks adequate safeguards. In secure embedded systems, credentials should be encrypted using a device-unique key or stored in a hardware-backed secure element. However, on these affected units, the credentials are either kept in plaintext or protected with a weak, reversible algorithm that can be bypassed once an attacker gains even limited access to the file system or memory.

Exploitation typically requires an adversary to first establish a network foothold in the OT environment, which could be achieved through phishing, exploitation of a separate internet-facing service, or by compromising a poorly segmented IT–OT bridge. Once on the same network segment as an EasyLogic or Saitel RTU, the attacker can use standard protocol commands or crafted packets to retrieve the exposed credentials. With these stolen login details, the attacker can then modify RTU logic, falsify telemetry, or disrupt physical processes—potentially causing equipment damage or service outages.

Impact and Risk Assessment

The consequences of a successful exploit are severe. An RTU acts as the local intelligence of a SCADA system, translating sensor data into digital signals and executing control commands received from a central master station. If an attacker takes over an RTU, they could:

  • Alter setpoints and thresholds, leading to unsafe operating conditions (e.g., overpressure in a pipeline, overvoltage in a power grid).
  • Disable safety interlocks, allowing equipment to operate outside safe limits.
  • Inject false data into the SCADA system, misleading operators and automated controls.
  • Use the compromised RTU as a pivot point to attack other devices on the OT network.

Because many of these RTUs are deployed in remote, unattended locations, physical access controls are minimal, making network-based defense all the more critical. The credential exposure flaw essentially grants a remote attacker the keys to the kingdom once they are on the network.

Schneider Electric’s Response and Mitigation

Schneider Electric has released firmware updates that resolve CVE-2026-9650 by implementing proper credential storage mechanisms. The company strongly recommends that users of affected products upgrade to the following firmware versions or later:

  • EasyLogic T150: Install firmware version 11.06.31 or higher.
  • Saitel DP: Install firmware version 11.06.36 or higher.

The updates introduce encrypted credential storage and additional access controls that prevent unauthorized retrieval of authentication data. In its security notification, Schneider also advises that network exposure for all control system devices should be minimized and that such devices should never be directly accessible from the internet. Operators are urged to implement network segmentation, using firewalls and virtual LANs to isolate RTUs from corporate IT networks and the internet.

For sites where immediate patching is not feasible, Schneider provides temporary mitigation measures, including:

  • Restricting network access to the RTU’s management interface to only authorized IP addresses.
  • Using a VPN or jump host for all administrative access.
  • Disabling any unused services or ports on the device.
  • Ensuring physical restrictions to the device, as local access could also lead to credential extraction.

CISA Advisory and Actions

CISA’s Industrial Control Systems (ICS) advisory on CVE-2026-9650 mirrors Schneider’s recommendations and adds a call to action for asset owners and operators. The agency highlights that this vulnerability is indicative of a broader trend of insecure credential management in OT devices, which remains a glaring blind spot in many industrial environments.

While CVE-2026-9650 has not yet been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, the advisory strongly suggests that proactive patching is the best defense. CISA recommends that organizations follow its guidance for secure remote access, including multi-factor authentication when available, and implement continuous monitoring of OT networks for suspicious activity.

Recommendations for OT Operators

Beyond the immediate firmware upgrade, organizations using EasyLogic T150 or Saitel DP RTUs should take a comprehensive approach to hardening their OT environments:

  1. Inventory and Assessment: Identify all instances of affected devices within the operational network and prioritize those in the most critical roles.
  2. Patch Management: Apply the updated firmware in a staged manner, first on less critical spare units to test for compatibility, then roll out to production systems during a planned maintenance window.
  3. Network Segmentation: Enforce strict separation between IT and OT networks. Use demilitarized zones (DMZs) and firewalls to restrict data flows to only necessary protocols and IP addresses.
  4. Credential Hygiene: Change all passwords on the RTUs after upgrading, as the old credentials may have already been compromised. Ensure strong, unique passwords are used and rotated regularly.
  5. Monitoring and Detection: Deploy OT-aware intrusion detection systems (IDS) to identify scanning or exploit attempts against RTU management interfaces. Monitor for unusual outbound connections that could indicate credential theft.
  6. Incident Response Plan: Update OT incident response playbooks to include scenarios involving compromised RTUs, with clear procedures for isolating affected devices and restoring safe operations.

Broader Implications for Industrial Cybersecurity

CVE-2026-9650 is the latest in a series of OT vulnerabilities that expose the persistent gap between IT and OT security practices. While modern IT systems benefit from encryption, secure boot, and routine patch cycles, many industrial devices still run legacy firmware with minimal security features. This vulnerability in particular highlights three systemic issues:

  • Lack of Secure Development Lifecycles: Many OT vendors are only now incorporating security into the design phase, leading to retain plaintext or weakly hashed credentials that were once considered acceptable in isolated networks.
  • Visibility Challenges: Asset owners often struggle to maintain accurate inventories of OT devices, making it difficult to know which systems are vulnerable and need updates.
  • Patching Fears: The risk of disrupting critical processes often delays or prevents firmware updates, leaving systems exposed for extended periods.

The increasing connectivity of industrial control systems—driven by IIoT initiatives, remote maintenance, and cloud-based analytics—enlarges the attack surface for threat actors, including nation-state groups and ransomware gangs targeting critical infrastructure. CVE-2026-9650 serves as a reminder that foundational security measures, such as encrypting stored credentials, cannot be overlooked.

Outlook

Schneider Electric’s prompt release of firmware updates and CISA’s advisory should accelerate remediation, but the real test will be how quickly asset owners actually deploy the patches. Historically, OT patch adoption lags significantly behind IT, leaving windows of opportunity for attackers. Organizations that manage energy, water, or manufacturing operations should treat this advisory with urgency and integrate the update into their next maintenance cycle—or sooner if risk assessments deem it necessary.

As the OT threat landscape evolves, industrials must adopt a posture of continuous improvement, pushing vendors for secure-by-design products and holding themselves accountable for implementing those protections in the field. The exposure of credentials is a solved problem in most IT domains; it’s time the industrial world caught up.