Description
CWE‑331 Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit weaknesses in session‑management protections.
Published: 2026-05-12
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a CWE‑331 insufficient entropy flaw that can lead to unauthorized access when an attacker on the network exploits weaknesses in session‑management protections. The flaw allows an attacker to predict or guess session identifiers, thereby hijacking authenticated sessions or forging authentication tokens, and causes loss of confidentiality and integrity of control system operations.

Affected Systems

Affected products include Schneider Electric Easergy C5, Easergy MiCOM C264, Easergy MiCOM P30, Easergy MiCOM P40, EasyLogic T150, EcoStruxure Power Automation System User Interface, EcoStruxure Power Automation System Gateway, EcoStruxure Power Operation, PowerLogic P5 Protection Relay, PowerLogic P7 Protection and Control Platform, PowerLogic T300, PowerLogic T500, Saitel DP, and iPMFLS. Specific firmware or software versions that contain the flaw are not listed, so all current releases lacking an explicit patch should be considered vulnerable.

Risk and Exploitability

The CVSS score of 8.7 signals a high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, indicating that exploit activity may not yet be widespread, although the risk remains significant for any attacker with network access. Based on the description, it is inferred that an attacker who can reach the device over the network and interact with its session‑management endpoint could exploit the low randomness and hijack sessions. Prompt patching is therefore advised.

Generated by OpenCVE AI on May 12, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest firmware or software update released by Schneider Electric that fixes the insufficient entropy issue.
  • If an update is not yet available, isolate the devices from general network traffic by placing them on a dedicated management VLAN or by applying firewall rules that only allow connections from authorized management hosts.
  • Enable or enforce secure session‑management settings, ensuring that session identifiers are generated using a high‑entropy random number source and that session timeouts or re‑authentication are configured according to best practice.

Generated by OpenCVE AI on May 12, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description CWE‑331 Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit weaknesses in session‑management protections.
Title Insufficient Entropy vulnerability on Multiple Products
Weaknesses CWE-331
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-05-12T12:39:31.579Z

Reserved: 2026-03-25T14:07:29.111Z

Link: CVE-2026-4827

cve-icon Vulnrichment

Updated: 2026-05-12T12:39:06.306Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T13:17:35.510

Modified: 2026-05-12T14:19:41.400

Link: CVE-2026-4827

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T13:30:16Z

Weaknesses