Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack vector with high privileges required; only confidentiality is impacted via hash disclosure; no integrity or availability effect.
Primary rating from Vendor (schneider).
CVSS VectorVendor: schneider
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
CWE-732 Incorrect Permission Assignment for Critical Resource vulnerability that could cause unauthorized disclosure of password hashes and potential account compromise when an attacker with privileged local access reads improperly protected system files.
AnalysisAI
Incorrect file permission assignment on Schneider Electric EasyLogic T150 (formerly Saitel DR) and Saitel DP Remote Terminal Units exposes password hashes stored in system files to unauthorized reading by privileged local users. An attacker who has already obtained privileged local access to the RTU can read these improperly protected files, extract credential hashes, and perform offline cracking to achieve account compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an attacker to have privileged local access to the affected RTU (PR:H per the CVSS 4.0 vector, AV:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N yields a score of 6.7, accurately capturing the constrained attack surface: exploitation requires local access with high privileges already in hand, meaning an attacker must have substantially compromised the device before this vulnerability becomes relevant. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has gained privileged local access to an EasyLogic T150 or Saitel DP RTU - whether through physical console access, a compromised maintenance account, or prior exploitation of another vulnerability - navigates to the improperly protected system file containing password hashes and reads its contents. The extracted hashes are then subjected to offline dictionary or brute-force cracking, yielding plaintext credentials that can be used to authenticate to the RTU or to other OT devices where passwords are reused. … |
| Remediation | Consult Schneider Electric Security Advisory SEVD-2026-160-02, available at https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-160-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-160-02.pdf, for the primary remediation guidance including any patched firmware version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Credential exposure in Schneider Electric EasyLogic T150 (formerly Saitel DR) and Saitel DP Remote Terminal Units & Cont
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability that could cause un
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39431
GHSA-633j-w347-p8v6