Skip to main content

PowerLogic P7 EUVDEUVD-2026-39434

| CVE-2026-9717 HIGH
OS Command Injection (CWE-78)
2026-06-25 schneider GHSA-47f2-rprg-7x63
8.6
CVSS 4.0 · Vendor: schneider
Share

Severity by source

Vendor (schneider) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.2 HIGH

Network-reachable management service (AV:N) with low complexity (AC:L) but requiring an existing privileged account (PR:H); injected commands run with elevated privileges yielding full C/I/A impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (schneider).

CVSS VectorVendor: schneider

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 16:20 vuln.today

DescriptionCVE.org

CWE-78 Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow unauthorized execution of commands with elevated privileges, impacting system integrity, confidentiality, and availability when a privileged authenticated user interacts with a vulnerable network-exposed service.

AnalysisAI

Authenticated command injection in Schneider Electric PowerLogic P7 power metering devices allows a privileged user to execute arbitrary OS commands with elevated privileges over a network-exposed service, fully compromising device integrity, confidentiality, and availability. The flaw (CWE-78) stems from improper neutralization of special elements passed to an underlying OS command. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain privileged device credentials
Delivery
Reach network-exposed P7 management service
Exploit
Submit input with shell metacharacters
Execution
Trigger OS command injection
Persist
Execute commands with elevated privileges
Impact
Compromise metering integrity and availability

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already hold a privileged authenticated account on the PowerLogic P7 device (CVSS PR:H) and network reachability to the vulnerable management service (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H, score 8.6 High) indicates a network-reachable, low-complexity attack with no user interaction but requiring high privileges (PR:H) - i.e., the attacker must already hold privileged authenticated access to the device's management service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained privileged credentials for a PowerLogic P7 device - through credential reuse, phishing of an engineer, or a compromised engineering workstation - connects to the network-exposed management service and submits a crafted parameter containing shell metacharacters. The injected OS command executes with elevated privileges, letting the attacker alter metering data, disable the device, or pivot within the OT network. …
Remediation Apply the firmware fix specified in Schneider Electric advisory SEVD-2026-160-03 (https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-160-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-160-03.pdf); the exact patched firmware version is not included in the provided data and must be taken from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 HOURS: Audit network exposure of all Schneider Electric PowerLogic P7 devices; identify which systems are accessible from untrusted or external networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy