Executive Summary
An unauthenticated attacker can extract credentials stored inside the firmware or system files of Schneider Electric EasyLogic T150 (formerly Saitel DR) and Saitel DP Remote Terminal Units, granting unauthorized access to the device. These are field controllers that sit directly on substation, pipeline, and water telemetry perimeters, so credential exposure translates into direct manipulation of physical process control and SCADA data integrity.
Technical Exposure Breakdown
The flaws tracked as CVE-2026-9650 and CVE-2026-9651 are credential storage weaknesses. Sensitive authentication material is embedded in firmware images or resident system files rather than derived, hashed with a per-device salt, or held in a hardware root of trust. An attacker who obtains a firmware image, whether by pulling it from a vendor support portal, reading it from flash on a physically accessible unit, or intercepting a maintenance transfer, can recover usable credentials through static analysis.
Affected versions per the advisory: EasyLogic T150 Remote Terminal Unit and Controller at or below 11.06.30 for CVE-2026-9650, and at or below 11.06.31 for CVE-2026-9651, along with impacted Saitel DP RTU builds. The distinction between the two CVEs and the near-identical version ceilings indicates the credential handling was only partially corrected between firmware revisions, which is a pattern that warrants confirming the exact build running on every deployed unit rather than trusting a version family.
The attack does not require authentication, and it does not require a live network session to recover the credential itself. That decouples the initial compromise from network reachability. Once the credential is known, an attacker with logical access to the management interface reuses it across the fleet, because hardcoded and firmware-embedded secrets are typically shared across all devices of the same build. One recovered credential is a master key for every identical RTU an operator has in the field.
OT Impact and Compliance Risk
These RTUs terminate protection, metering, and remote control functions. Unauthorized access allows an attacker to alter setpoints, suppress or falsify telemetry sent upstream to the control center, disable local protection logic, or push malicious configuration. In a substation this reaches breaker and relay coordination. In pipeline and water contexts it reaches pump, valve, and pressure telemetry, which means an operator can be blinded to a real physical event or fed fabricated normal readings while a process drifts out of bounds.
For NERC CIP registered entities, credential exposure on a BES Cyber Asset intersects CIP-005 electronic security perimeter controls and CIP-007 system security management around account and password handling. Under IEC 62443, this is a failure of foundational requirements FR 1 identification and authentication control and FR 2 use control at the device level. Water utilities operating Saitel DP units fall under AWIA 2018 risk and resilience assessment obligations, and pipeline operators under the TSA security directives SD-02C access control mandates. In all cases a shared, extractable credential undermines the account management controls those frameworks assume are enforceable.
Compensating Controls
Do not rely on a firmware update as your first move. Many of these RTUs sit on serial and low-bandwidth telemetry links where a flash operation carries real bricking risk, and outage windows for field devices are scarce. Active scanning of these units for verification is equally dangerous and can force an RTU into a fault state, so passive inventory is the correct method to confirm affected builds.
- Isolate RTU management interfaces behind a data diode or a firewall that permits only the SCADA poll traffic from named master station IP addresses. The recovered credential is worthless to an attacker who cannot reach the interface.
- Segment maintenance access so firmware and configuration transfers occur only from a hardened engineering workstation on a dedicated VLAN, never from general IT or vendor remote sessions.
- Deploy a virtual patch at the perimeter. A Suricata rule concept: alert on management protocol authentication attempts to RTU addresses that originate from any source outside the authorized master station and engineering subnet, and alert on any unexpected firmware or file transfer to these units.
- Where the vendor exposes credential rotation, rotate immediately and disable any default or service accounts that cannot be rotated.
- Physically restrict access to units in unstaffed remote sites, since flash extraction requires proximity to the device.
BreachSpider Intel
BreachSpider tracks credential exposure and firmware weaknesses across 175,000+ OT products so your team sees which RTU builds in your fleet are affected before an attacker turns a shared secret into physical control.