Description
CWE-732 Incorrect Permission Assignment for Critical Resource vulnerability that could cause unauthorized disclosure of password hashes and potential account compromise when an attacker with privileged local access reads improperly protected system files.
Published: 2026-06-25
Score: 6.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an incorrect permission assignment flaw that allows a local attacker with privileged access to read system files containing password hashes. This could enable the attacker to compromise user accounts by leveraging the exposed credentials. The weakness stems from improper file permissions, classed as CWE-732, and results in a breach of confidentiality and potential further compromise of system integrity.

Affected Systems

Schneider Electric EasyLogic T150 (formerly Saitel DR) Remote Terminal Unit & Controller and Schneider Electric Saitel DP Remote Terminal Unit & Controller are impacted. Version information was not provided in the advisory, so all releases of these products may be affected until an official patch is released.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, so there is no known widespread exploitation yet. The likely attack vector is a local privileged user who can access the system files; this could occur via an insider threat, compromised local device, or after an initial exploitation that grants local privileges.

Generated by OpenCVE AI on June 25, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patches released by Schneider Electric for the affected EasyLogic T150 and Saitel DP devices.
  • Verify that any files containing password hashes have permissions that restrict access to the administrator account only, for example using chmod 600 on Linux or equivalent ACLs on other systems.
  • Restrict local privileged access by disabling unnecessary local administrator accounts or requiring multi‑factor authentication for privileged use.
  • Monitor system logs for unauthorized attempts to access protected files.

Generated by OpenCVE AI on June 25, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Title Permission Assignment Flaw Exposes Password Hashes in Schneider Electric Remote Terminals

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description CWE-732 Incorrect Permission Assignment for Critical Resource vulnerability that could cause unauthorized disclosure of password hashes and potential account compromise when an attacker with privileged local access reads improperly protected system files.
Weaknesses CWE-732
References
Metrics cvssV4_0

{'score': 6.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: schneider

Published:

Updated: 2026-06-25T15:49:36.271Z

Reserved: 2026-05-26T19:45:22.354Z

Link: CVE-2026-9651

cve-icon Vulnrichment

Updated: 2026-06-25T15:49:33.678Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:45:03Z

Weaknesses
  • CWE-732

    Incorrect Permission Assignment for Critical Resource