Executive Summary

CVE-2026-6865 is an improper access control flaw in Schneider Electric EasyLogic T150 (formerly Saitel DR) and Saitel DP remote terminal units that lets an attacker with network reach to the device retrieve sensitive files without authorization, including configuration and potentially credential material. Because these RTUs sit at the substation, pipeline, and water headworks edge, file disclosure here translates directly into reconnaissance of protection logic, communications endpoints, and control sequences governing physical process equipment.

Technical Exposure Breakdown

The affected component is the RTU and controller firmware on EasyLogic T150 hardware at versions at or below 11.06.31, with Saitel DP carrying the same exposure class. The vulnerability is a file access control defect rather than memory corruption, which lowers the skill floor for exploitation. An attacker who can reach the device management or file transfer interface can request files that should be restricted and receive them.

The attack vector matters more than the CVSS label, which the source does not yet carry. These RTUs typically expose engineering, telemetry, and file services over the station LAN or a serial-to-IP gateway. In most deployments these interfaces were never designed to enforce strong authorization because the original threat model assumed a physically isolated control network. Any actor who pivots from a compromised engineering workstation, a poorly segmented corporate-to-OT path, or a cellular backhaul link inherits direct access to the file disclosure primitive.

The files of concern on a Saitel-class RTU include the device configuration database, communication driver settings for protocols such as DNP3 and IEC 60870-5-104, and any locally stored credentials or keys used to authenticate upstream to the SCADA master. Disclosure of this data gives an adversary the addressing, point mapping, and trust relationships needed to stage a follow-on spoofing or command injection campaign against the process itself.

OT Impact and Compliance Risk

The physical risk is indirect but serious. File disclosure does not by itself open a breaker or change a setpoint, but it hands an attacker the blueprint for doing so. Exposure of point maps and protocol configuration shortens the path to crafting valid control messages that the master station or downstream IEDs will accept as legitimate.

For electric utilities, RTUs at medium-impact or high-impact substations fall under NERC CIP. Unauthorized file read access undermines CIP-005 electronic security perimeter assumptions and CIP-007 information protection expectations, and any credential exposure has direct CIP-011 implications. Under IEC 62443, this is a failure of foundational requirement FR2 (use control) and FR4 (data confidentiality), and it lowers the achievable security level of the affected zone.

Pipeline operators governed by TSA Security Directive SD-02C should treat exposed RTU credentials as a segmentation and access control finding requiring documented remediation. Water and wastewater systems under AWIA 2018 obligations face the same logic: a field device that surrenders its configuration to an unauthenticated requester invalidates the risk assessment that assumed the device boundary was trustworthy.

Compensating Controls

Do not rely on a firmware update alone, and do not run active vulnerability scans against these RTUs to confirm exposure. Aggressive probing of Saitel-class controllers can disrupt protocol stacks and induce communications faults or restarts that affect live telemetry. Validate exposure passively through configuration review and network traffic analysis.

Stage and test the vendor firmware in a lab or maintenance window before field deployment, since RTU firmware changes carry process continuity risk that must be scheduled around protection coordination.

BreachSpider Intel

BreachSpider tracks CVE-2026-6865 and the broader Saitel and EasyLogic exposure surface for active exploitation signals and updated mitigation guidance across monitored OT environments.