Skip to main content

PowerLogic P7 CVE-2026-9716

| EUVDEUVD-2026-39433 HIGH
NULL Pointer Dereference (CWE-476)
2026-06-25 schneider GHSA-r5gq-r69x-5f8p
8.7
CVSS 4.0 · Vendor: schneider
Share

Severity by source

Vendor (schneider) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote, low-complexity, unauthenticated malformed requests crash the HMI service with availability-only impact, so PR:N/AC:L/A:H and C:N/I:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (schneider).

CVSS VectorVendor: schneider

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 16:20 vuln.today

DescriptionCVE.org

CWE-476 NULL Pointer Dereference vulnerability exists that could cause a denial-of-service condition, rendering the device’s HMI and configuration functionality unavailable when malformed requests are received over exposed network interfaces.

AnalysisAI

Denial-of-service in Schneider Electric PowerLogic P7 power metering devices allows remote, unauthenticated attackers to crash the device's HMI and configuration functionality by sending malformed requests to exposed network interfaces. The flaw stems from a NULL pointer dereference (CWE-476) that renders local management and configuration unavailable until recovery. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed P7 management interface
Delivery
Send malformed network request
Exploit
Trigger NULL pointer dereference
Execution
Crash HMI/configuration service
Impact
Device monitoring and config unavailable

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the PowerLogic P7's exposed management/HMI/configuration interface - the description explicitly scopes this to 'malformed requests received over exposed network interfaces,' so the interface being network-accessible to the attacker is the key prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H, base 8.7) describes a low-complexity, network-reachable, unauthenticated attack with no user interaction and pure availability impact - a strong availability-only profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to an exposed PowerLogic P7 management interface sends a specially malformed request that triggers the NULL pointer dereference, faulting the device's HMI and configuration service and making local monitoring and reconfiguration unavailable. Given AV:N/AC:L/PR:N, no authentication or user interaction is required, and the attack can likely be repeated to sustain the outage; no public POC is referenced in the available data.
Remediation Patch status: Patch available per vendor advisory - apply the fixed firmware identified in Schneider Electric notice SEVD-2026-160-03 (https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-160-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-160-03.pdf); the exact patched version is not stated in the provided data, so confirm it against that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Schneider Electric PowerLogic P7 devices; assess network exposure and connectivity; implement firewall rules restricting remote access to these devices from designated management systems only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9716 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy