Back to Intelligence

CVE-2026-9650 & CVE-2026-9651: Schneider Electric EasyLogic T150 & Saitel DP RTU Hardening Guide

SA
Security Arsenal Team
June 30, 2026
7 min read

CISA has released advisory ICSA-26-181-04 regarding two critical vulnerabilities impacting Schneider Electric EasyLogic T150 and Saitel DP Remote Terminal Units (RTUs). These devices are critical components in industrial control systems (ICS), bridging the gap between physical infrastructure and digital networks.

The vulnerabilities, tracked as CVE-2026-9650 and CVE-2026-9651, both carry a CVSS v3 score of 7.5 (High). The core risk involves the exposure of sensitive credentials. An unauthenticated attacker can access these credentials stored within firmware or system files. In an ICS environment, credential theft is often a precursor to lateral movement, where attackers pivot from the edge RTU into the core operational technology (OT) network, potentially disrupting critical processes or deploying ransomware.

Defenders must treat these CVEs with immediate urgency. The barrier to entry is low (unauthenticated), and the impact (total compromise of device credentials) is high.

Technical Analysis

Affected Products & Versions:

The following firmware versions are vulnerable to credential exposure:

  • EasyLogic T150 (formerly Saitel DR):
    • Firmware <= 11.06.30 (CVE-2026-9650)
    • Firmware <= 11.06.31 (CVE-2026-9651)
  • Saitel DP Remote Terminal Unit:
    • Firmware <= 11.06.35 (CVE-2026-9650)
    • Firmware <= 11.06.37 (CVE-2026-9651)

Vulnerability Mechanics:

  • CVE-2026-9650 & CVE-2026-9651: These issues stem from improper access control on system files or firmware images. The RTU stores administrative or operational credentials in a manner that is retrievable without authentication.

Attack Chain:

  1. Reconnaissance: Attacker identifies exposed RTU interfaces (Web/SSH) on the public internet or via a compromised jump host in the IT network.
  2. Exploitation: Attacker sends a specific request (e.g., HTTP GET or TFTP request) to the vulnerable endpoint to retrieve system files or firmware dumps.
  3. Credential Extraction: Attacker parses the retrieved files to extract plaintext or weakly hashed credentials.
  4. Lateral Movement: Attacker uses the extracted credentials to authenticate to the RTU, modify logic, or pivot to other PLCs and HMIs on the control network.

Exploitation Status:

While specific in-the-wild exploitation has not been explicitly detailed in this advisory as "active," the release of a CISA advisory and the nature of the vulnerability (easy credential access) make it highly likely that scanners and exploit frameworks will integrate checks for these flaws within days.

Detection & Response

Detecting exploitation of RTU devices requires visibility at the network level, as traditional EDR agents are rarely installed on embedded OT controllers. The following rules focus on identifying unauthorized access to RTU management interfaces and suspicious file retrieval patterns.

SIGMA Rules

YAML
---
title: Schneider Electric RTU Potential Credential Access
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects potential unauthenticated access to configuration or firmware files on Schneider Electric RTUs, indicative of CVE-2026-9650 or CVE-2026-9651 exploitation attempts.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-04
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.initial_access
  - attack.t1190
  - ics
logsource:
  category: proxy
  product: null
detection:
  selection:
    c-uri|contains:
      - 'config'
      - 'backup'
      - 'firmware'
      - 'system'
    c-uri|endswith:
      - '.bin'
      - '.cfg'
      - '.conf'
      - '.xml'
  filter_target:
    r-dns|contains:
      - 'schneider-electric'
    # Alternatively, filter by known RTU IP ranges if FQDNs are not used
falsepositives:
  - Legitimate administrator backups
  - Authorized firmware updates
level: high
---
title: Suspicious Network Connection to OT RTU Ports
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects inbound connections to common Schneider Electric RTU management ports (Web/Modbus) from external or unexpected internal sources.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-04
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.initial_access
  - attack.t1190
  - ics
logsource:
  category: network_connection\  product: windows
detection:
  selection:
    DestinationPort:
      - 80
      - 443
      - 502
    Initiated: 'true'
  filter_range:
    SourceIp|startswith:
      - '10.'
      - '192.168.'
      - '172.'
  condition: selection and not filter_range
falsepositives:
  - Legitimate remote access from corporate VPNs (if VPN ranges are not whitelisted in filter)
level: medium


**KQL (Microsoft Sentinel / Defender)**
KQL — Microsoft Sentinel / Defender
// Hunt for unauthorized access attempts to RTU interfaces
let OT_Subnets = dynamic(["10.0.0.0/8", "192.168.0.0/16"]); // Define your OT subnets
DeviceNetworkEvents
| where RemotePort in (80, 443, 502) // Web and Modbus ports
| where ActionType == "ConnectionSuccess" or ActionType == "ConnectionAllowed"
// Check for connections originating from outside defined OT subnets
| where not(ipv4_is_in_range(RemoteIP, OT_Subnets))
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, ActionType
| order by Timestamp desc


**Velociraptor VQL**
VQL — Velociraptor
-- Hunt for engineering workstation tools attempting to interact with RTU IPs
-- Targeting Windows engineering workstations that might be compromised or misused
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ 'curl' OR Name =~ 'wget' OR Name =~ 'putty' OR Name =~ 'plink'
  AND (CommandLine =~ '192.168.' OR CommandLine =~ '10.' OR CommandLine =~ '172.')
  AND (CommandLine =~ ':80' OR CommandLine =~ ':443' OR CommandLine =~ ':502')


**Remediation Script (Bash)**

*Note: This script is intended to be run on the RTU if shell access is available, to check for vulnerable firmware versions. Use with caution in production environments.*
Bash / Shell
#!/bin/bash
# Remediation Check for Schneider Electric RTU CVE-2026-9650 / CVE-2026-9651
# Checks current firmware version against vulnerable thresholds

# Get current version (Adjust path based on specific model OS)
if [ -f /etc/version ]; then
    CURRENT_VERSION=$(cat /etc/version)
elif [ -f /firmware/version ]; then
    CURRENT_VERSION=$(cat /firmware/version)
else
    echo "Unable to determine firmware version automatically."
    exit 1
fi

echo "Current Firmware Version: $CURRENT_VERSION"

# Function to compare versions (simplified)
check_vulnerable() {
    local version=$1
    local limit=$2
    # Logic to check if version <= limit (Requires 'sort -V')
    if [ "$(printf '%s\n' "$version" "$limit" | sort -V | head -n1)" = "$version" ]; then
        if [ "$version" != "$limit" ]; then
            return 0 # Vulnerable
        fi
    fi
    # Also check equality
    if [ "$version" = "$limit" ]; then
        return 0 # Vulnerable
    fi
    return 1 # Safe
}

# Checks for CVE-2026-9650 (T150 <= 11.06.30 / Saitel <= 11.06.35)
if check_vulnerable "$CURRENT_VERSION" "11.06.30"; then
    echo "[ALERT] Device is VULNERABLE to CVE-2026-9650. Version $CURRENT_VERSION is <= 11.06.30 (or 11.06.35 for Saitel)."
    echo "Action: Upgrade to the latest firmware provided by Schneider Electric immediately."
elif check_vulnerable "$CURRENT_VERSION" "11.06.35"; then
    echo "[ALERT] Device is potentially VULNERABLE to CVE-2026-9650. Saitel DP RTU versions <= 11.06.35 are affected."
    echo "Action: Verify model and upgrade if applicable."
fi

# Checks for CVE-2026-9651 (T150 <= 11.06.31 / Saitel <= 11.06.37)
if check_vulnerable "$CURRENT_VERSION" "11.06.31"; then
    echo "[ALERT] Device is VULNERABLE to CVE-2026-9651. Version $CURRENT_VERSION is <= 11.06.31 (or 11.06.37 for Saitel)."
    echo "Action: Upgrade to the latest firmware provided by Schneider Electric immediately."
elif check_vulnerable "$CURRENT_VERSION" "11.06.37"; then
    echo "[ALERT] Device is potentially VULNERABLE to CVE-2026-9651. Saitel DP RTU versions <= 11.06.37 are affected."
    echo "Action: Verify model and upgrade if applicable."
fi

if ! check_vulnerable "$CURRENT_VERSION" "11.06.31" && ! check_vulnerable "$CURRENT_VERSION" "11.06.37"; then
    echo "[INFO] Device version $CURRENT_VERSION appears to be patched based on version string comparison."
fi

Remediation

  1. Patch Immediately: Apply the relevant security patches released by Schneider Electric. Ensure all EasyLogic T150 devices are updated beyond v11.06.31 and Saitel DP RTUs are updated beyond v11.06.37.
  2. Credential Rotation: If your devices were running vulnerable firmware, assume that credentials may have been compromised. Force a rotation of all administrative and operational passwords for these RTUs immediately after patching.
  3. Network Segmentation: Ensure RTUs are placed in a dedicated VLAN with strict firewall rules. Access to the management ports (80/443/502) should be restricted only to designated Engineering Workstations and the SCADA server. Block internet access to and from these devices entirely.
  4. Disable Unused Services: If SSH or Telnet is not required for operations, disable them. Ensure the web interface is not exposed to the wider corporate LAN or internet.

Official Advisory: Schneider Electric Security Advisory (SEVD-2026-XXX-01) CISA Advisory ICSA-26-181-04

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringschneider-electriccve-2026-9650cve-2026-9651ics-ot

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.