Executive Summary
CVE-2026-6865 is an improper access control flaw in Schneider Electric EasyLogic T150 (formerly Saitel DR) and Saitel DP remote terminal units that lets an attacker with network reach to the device retrieve sensitive files without authorization, including configuration and potentially credential material. Because these RTUs sit at the substation, pipeline, and water headworks edge, file disclosure here translates directly into reconnaissance of protection logic, communications endpoints, and control sequences governing physical process equipment.
Technical Exposure Breakdown
The affected component is the RTU and controller firmware on EasyLogic T150 hardware at versions at or below 11.06.31, with Saitel DP carrying the same exposure class. The vulnerability is a file access control defect rather than memory corruption, which lowers the skill floor for exploitation. An attacker who can reach the device management or file transfer interface can request files that should be restricted and receive them.
The attack vector matters more than the CVSS label, which the source does not yet carry. These RTUs typically expose engineering, telemetry, and file services over the station LAN or a serial-to-IP gateway. In most deployments these interfaces were never designed to enforce strong authorization because the original threat model assumed a physically isolated control network. Any actor who pivots from a compromised engineering workstation, a poorly segmented corporate-to-OT path, or a cellular backhaul link inherits direct access to the file disclosure primitive.
The files of concern on a Saitel-class RTU include the device configuration database, communication driver settings for protocols such as DNP3 and IEC 60870-5-104, and any locally stored credentials or keys used to authenticate upstream to the SCADA master. Disclosure of this data gives an adversary the addressing, point mapping, and trust relationships needed to stage a follow-on spoofing or command injection campaign against the process itself.
OT Impact and Compliance Risk
The physical risk is indirect but serious. File disclosure does not by itself open a breaker or change a setpoint, but it hands an attacker the blueprint for doing so. Exposure of point maps and protocol configuration shortens the path to crafting valid control messages that the master station or downstream IEDs will accept as legitimate.
For electric utilities, RTUs at medium-impact or high-impact substations fall under NERC CIP. Unauthorized file read access undermines CIP-005 electronic security perimeter assumptions and CIP-007 information protection expectations, and any credential exposure has direct CIP-011 implications. Under IEC 62443, this is a failure of foundational requirement FR2 (use control) and FR4 (data confidentiality), and it lowers the achievable security level of the affected zone.
Pipeline operators governed by TSA Security Directive SD-02C should treat exposed RTU credentials as a segmentation and access control finding requiring documented remediation. Water and wastewater systems under AWIA 2018 obligations face the same logic: a field device that surrenders its configuration to an unauthenticated requester invalidates the risk assessment that assumed the device boundary was trustworthy.
Compensating Controls
Do not rely on a firmware update alone, and do not run active vulnerability scans against these RTUs to confirm exposure. Aggressive probing of Saitel-class controllers can disrupt protocol stacks and induce communications faults or restarts that affect live telemetry. Validate exposure passively through configuration review and network traffic analysis.
- Enforce strict allowlisting at the cell or zone firewall so only the SCADA master and designated engineering hosts can reach RTU file and management ports. Treat every other source as hostile by default.
- Deploy a virtual patch at the network layer to block unauthorized file transfer requests before they reach the device. A Suricata rule concept here inspects management and file service traffic for read or retrieve operations originating outside the defined master and engineering address set, and alerts or drops on any other source.
- Rotate any credentials and keys stored on or referenced by the RTU configuration, on the assumption that affected files may already be exposed.
- Place affected RTUs behind a one-way or tightly mediated gateway where the operational architecture permits, and audit serial-to-IP converters that may bypass perimeter controls.
Stage and test the vendor firmware in a lab or maintenance window before field deployment, since RTU firmware changes carry process continuity risk that must be scheduled around protection coordination.
BreachSpider Intel
BreachSpider tracks CVE-2026-6865 and the broader Saitel and EasyLogic exposure surface for active exploitation signals and updated mitigation guidance across monitored OT environments.