2026-06-094 minhigh

Schneider Electric EcoStruxure Panel Server (CVE-2026-6866)

Schneider Electric EcoStruxure Panel Servers contain an insecure default initialization vulnerability (CVE-2026-6866, CVSS 7.5) that can lead to unauthorized authentication. Under rare circumstances, credentials may revert to initial settings, allowing attackers to access sensitive information using known default credentials.

Conf:highAnalyzed:2026-06-09Google

Authors: CISA, Schneider Electric CPCERT

IOCs · 1

.txt .json

cve
CVE-2026-6866

Detection / HunterGoogle

What Happened

Schneider Electric has identified a security flaw in its EcoStruxure Panel Server devices. This vulnerability could allow an attacker to gain unauthorized access to sensitive information if the device's passwords accidentally reset to their factory defaults. This issue affects organizations in commercial facilities, critical manufacturing, and energy sectors. To fix this, administrators should update the device firmware to version 002.006.000 and ensure these systems are not directly accessible from the internet.

Key Takeaways

Schneider Electric EcoStruxure Panel Servers are affected by an insecure default initialization vulnerability (CVE-2026-6866).
The flaw allows unauthorized authentication using known credentials if the device reverts to initial settings.
Firmware version 002.006.000 has been released to fix the issue across PAS800, PAS600, and PAS400 series devices.
Organizations are strongly advised to isolate control system networks from business networks and the internet.

Affected Systems

EcoStruxure Panel Server PAS800 (versions 002.005.000 and prior)
EcoStruxure Panel Server PAS800V2 (versions 002.005.000 and prior)
EcoStruxure Panel Server PAS600 (versions 002.005.000 and prior)
EcoStruxure Panel Server PAS600V2 (versions 002.005.000 and prior)
EcoStruxure Panel Server PAS400 (versions 002.005.000 and prior)

Vulnerabilities (CVEs)

CVE-2026-6866

Attack Chain

An attacker targets a Schneider Electric EcoStruxure Panel Server that has reverted to its initial settings due to rare circumstances. The attacker uses known default credentials to authenticate to the device over the network. Once authenticated, the attacker gains unauthorized access to sensitive information stored on or passing through the gateway.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — EDR agents cannot be installed on proprietary Schneider Electric ICS gateway appliances. Network Visibility: Medium — Network monitoring tools can detect anomalous authentication attempts or traffic to/from the ICS devices, but identifying a default credential login versus a legitimate one may be difficult without deep packet inspection or application-level logging. Detection Difficulty: Hard — Detecting the use of default credentials requires specific application-level logging from the appliance, which may not be centrally collected in many OT environments.

Required Log Sources

Network traffic logs (Firewall/IDS)
ICS application authentication logs

Hunting Hypotheses

copy:

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for successful authentication events originating from unexpected IP addresses or business network segments targeting EcoStruxure Panel Servers.	Network firewall logs, ICS application authentication logs	Initial Access	Medium

Control Gaps

Lack of centralized OT authentication logging
Direct internet exposure of ICS devices

Key Behavioral Indicators

Successful logins using default vendor credentials (if logged)

False Positive Assessment

Recommendations

Immediate Mitigation

Verify against your organization's incident response runbook and team escalation paths before acting.
Consider updating EcoStruxure Panel Server firmware to version 002.006.000 where supported by your maintenance windows.
Evaluate whether affected devices are exposed to the internet and restrict access immediately if applicable.

Infrastructure Hardening

Consider locating control system networks and remote devices behind firewalls, isolating them from business networks.
If remote access is required, evaluate using secure methods such as Virtual Private Networks (VPNs) with up-to-date software.
Consider implementing physical controls to prevent unauthorized personnel from accessing industrial control systems and peripheral equipment.

User Protection

Evaluate enforcing strong, non-default passwords for all ICS devices and monitoring for unexpected password resets.

Security Awareness

Consider training OT staff on the risks of default credentials and the importance of network segmentation for industrial control systems.

MITRE ATT&CK Mapping

T1078.001 - Valid Accounts: Default Accounts
T1190 - Exploit Public-Facing Application