Schneider Electric EasyLogic T150 and Saitel DP (CVE-2026-6865)

What Happened

A security flaw was discovered in Schneider Electric EasyLogic T150 and Saitel DP devices, which are often used in energy and manufacturing sectors. This vulnerability allows an attacker to access sensitive files on the device that they shouldn't be able to see. If exploited, it could lead to unauthorized information disclosure. Organizations using these devices should update their firmware to the latest versions provided by Schneider Electric and ensure the devices are not directly exposed to the internet.

Key Takeaways

• A high-severity Path Traversal vulnerability (CVE-2026-6865) affects Schneider Electric EasyLogic T150 and Saitel DP RTUs.
• Exploitation allows attackers to gain unauthorized access to sensitive files via improperly handled user-supplied input.
• Firmware updates (11.06.32 for EasyLogic T150 and 11.06.37 for Saitel DP) are available to remediate the issue.
• No known public exploitation has been reported at this time.

Affected Systems

• Schneider Electric EasyLogic T150 (formerly Saitel DR) Firmware <= 11.06.31
• Schneider Electric Saitel DP Firmware <= 11.06.36

Vulnerabilities (CVEs)

• CVE-2026-6865

Attack Chain

An attacker with low-privileged access interacts with the server-side file path processing mechanism of the affected Schneider Electric RTU. By supplying crafted input containing path traversal characters, the attacker bypasses directory restrictions. This allows the attacker to read sensitive files outside the intended restricted directory.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries were provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — EDR agents cannot be installed on proprietary Schneider Electric RTU firmware. Network Visibility: Medium — Network IDS/IPS may detect path traversal payloads (e.g., '../') in HTTP/API requests directed at the RTUs. Detection Difficulty: Moderate — Detecting path traversal attempts on network traffic is feasible, but distinguishing legitimate administrative traffic from exploitation on proprietary ICS protocols/web interfaces can be challenging without specific signatures.

Required Log Sources

• Network Traffic Logs
• Web Server Logs

Hunting Hypotheses

Control Gaps

• Lack of endpoint visibility on proprietary ICS devices
• Direct internet exposure of ICS devices

Key Behavioral Indicators

• Path traversal characters in web requests to RTU management interfaces

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Ensure strict credential controls are enforced for all users accessing the affected RTUs.
• Evaluate whether affected devices can be isolated from business networks and the public internet.

Infrastructure Hardening

• Consider updating EasyLogic T150 firmware to version 11.06.32 and Saitel DP firmware to version 11.06.37.
• Minimize network exposure for all control system devices and ensure they are placed behind firewalls.
• If remote access is required, consider using secure methods such as updated Virtual Private Networks (VPNs).

User Protection

• N/A

Security Awareness

• Remind ICS operators and administrators to avoid clicking web links or opening attachments in unsolicited emails to prevent credential theft.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1083 - File and Directory Discovery