Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
CWE‑331 Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit weaknesses in session‑management protections.
AnalysisAI
Weak session token generation in Schneider Electric industrial protection relays and energy management systems allows remote attackers to hijack authenticated user sessions via network-based prediction attacks. Affects 36 product variants across Easergy MiCOM P30/P40/C264, PowerLogic P5/P7/T-series, EcoStruxure Power Automation/Operation platforms, and iPMFLS systems. CVSS 8.7 reflects high confidentiality and integrity impact with user interaction required. No active exploitation confirmed (not in CISA KEV), but authentication bypass via session prediction enables privilege escalation in critical infrastructure environments. EPSS data not provided - risk assessment relies on CVSS vector and operational technology context.
Technical ContextAI
The vulnerability stems from CWE-331 (Insufficient Entropy), indicating predictable session token generation in web management interfaces of Schneider Electric operational technology products. These industrial protection relays and SCADA gateway systems use session tokens for authenticating users to web-based human-machine interfaces. Insufficient randomness in token generation algorithms - typically from weak pseudo-random number generators, timestamp-based seeds, or sequential identifiers - enables attackers to predict valid session tokens through statistical analysis or brute-force enumeration. The CVSS 4.0 vector (PR:N with UI:P) confirms the attack requires no authentication but depends on a legitimate user establishing a session first. Affected CPE strings span Schneider's industrial automation portfolio: MiCOM protective relays (electrical grid protection), PowerLogic metering/monitoring platforms, EcoStruxure SCADA gateways, and facility power management systems - all deployed in critical infrastructure.
RemediationAI
Apply vendor-released firmware updates per Schneider Electric security notice SEVD-2026-132-02 (https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-132-02). Specific patched versions not detailed in available data - consult advisory for exact upgrade paths per product family. For Easergy MiCOM P30/P40 relays: upgrade to versions exceeding .678/.679/.680 thresholds documented in EUVD affected version matrix. For PowerLogic P5/P7 platforms: upgrade beyond V02.502.103 and V02.002.002 respectively. For EcoStruxure components: upgrade EPAS-GTW beyond 6.4.616.200.100, EPAS-UI beyond 3.0.3, Power Operation beyond 2024 CU2. Compensating controls until patching: (1) Enforce aggressive session timeout policies (under 15 minutes idle) to narrow prediction windows - reduces attacker opportunity but impacts operator workflows requiring sustained monitoring sessions. (2) Restrict management interface access to dedicated jump hosts or OT management VLANs with IP whitelisting - limits attack surface but requires network segmentation investment. (3) Enable all available access logging and monitor for concurrent sessions from different source IPs - detects hijacking but does not prevent. (4) Disable remote web access and require serial console for configuration changes - eliminates network vector entirely but severely constrains operational flexibility and remote troubleshooting. Note session timeout enforcement may conflict with alarm monitoring requirements in 24/7 substations.
Same weakness CWE-331 – Insufficient Entropy
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29459
GHSA-r6x4-qp59-vf35