Skip to main content

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 12, 2026 - 15:01 vuln.today
CVSS changed
May 12, 2026 - 13:22 NVD
8.7 (HIGH)
CVE Published
May 12, 2026 - 12:24 nvd
UNKNOWN (no severity yet)
CVE Published
May 12, 2026 - 12:24 nvd
HIGH 8.7

DescriptionCVE.org

CWE‑331 Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit weaknesses in session‑management protections.

AnalysisAI

Weak session token generation in Schneider Electric industrial protection relays and energy management systems allows remote attackers to hijack authenticated user sessions via network-based prediction attacks. Affects 36 product variants across Easergy MiCOM P30/P40/C264, PowerLogic P5/P7/T-series, EcoStruxure Power Automation/Operation platforms, and iPMFLS systems. CVSS 8.7 reflects high confidentiality and integrity impact with user interaction required. No active exploitation confirmed (not in CISA KEV), but authentication bypass via session prediction enables privilege escalation in critical infrastructure environments. EPSS data not provided - risk assessment relies on CVSS vector and operational technology context.

Technical ContextAI

The vulnerability stems from CWE-331 (Insufficient Entropy), indicating predictable session token generation in web management interfaces of Schneider Electric operational technology products. These industrial protection relays and SCADA gateway systems use session tokens for authenticating users to web-based human-machine interfaces. Insufficient randomness in token generation algorithms - typically from weak pseudo-random number generators, timestamp-based seeds, or sequential identifiers - enables attackers to predict valid session tokens through statistical analysis or brute-force enumeration. The CVSS 4.0 vector (PR:N with UI:P) confirms the attack requires no authentication but depends on a legitimate user establishing a session first. Affected CPE strings span Schneider's industrial automation portfolio: MiCOM protective relays (electrical grid protection), PowerLogic metering/monitoring platforms, EcoStruxure SCADA gateways, and facility power management systems - all deployed in critical infrastructure.

RemediationAI

Apply vendor-released firmware updates per Schneider Electric security notice SEVD-2026-132-02 (https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-132-02). Specific patched versions not detailed in available data - consult advisory for exact upgrade paths per product family. For Easergy MiCOM P30/P40 relays: upgrade to versions exceeding .678/.679/.680 thresholds documented in EUVD affected version matrix. For PowerLogic P5/P7 platforms: upgrade beyond V02.502.103 and V02.002.002 respectively. For EcoStruxure components: upgrade EPAS-GTW beyond 6.4.616.200.100, EPAS-UI beyond 3.0.3, Power Operation beyond 2024 CU2. Compensating controls until patching: (1) Enforce aggressive session timeout policies (under 15 minutes idle) to narrow prediction windows - reduces attacker opportunity but impacts operator workflows requiring sustained monitoring sessions. (2) Restrict management interface access to dedicated jump hosts or OT management VLANs with IP whitelisting - limits attack surface but requires network segmentation investment. (3) Enable all available access logging and monitor for concurrent sessions from different source IPs - detects hijacking but does not prevent. (4) Disable remote web access and require serial console for configuration changes - eliminates network vector entirely but severely constrains operational flexibility and remote troubleshooting. Note session timeout enforcement may conflict with alarm monitoring requirements in 24/7 substations.

Share

CVE-2026-4827 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy