Executive Summary
CVE-2026-4832 permits unauthorized retrieval of basic device identification data from Schneider Electric Easergy MiCOM Px40 series protection relays through the SNMP service. The relays perform protection functions across Medium, High, and Extra High Voltage substation feeders, so the disclosure feeds reconnaissance that precedes attacks against equipment that directly governs breaker trip logic and fault isolation.
Technical Exposure Breakdown
The vulnerable component is the SNMP agent embedded in the Px40 firmware. SNMP on these relays is used for network management integration, health polling, and asset inventory functions in substation automation networks. The flaw allows an actor with network reachability to the SNMP port to enumerate device identification objects without proper authorization controls in place.
The attack vector is network adjacent. An adversary needs a path to the relay management interface, which in practice means access to the station bus, the substation LAN, or any flat network segment where SNMP polling traffic transits. The disclosed data set is described as basic device identification. That includes model, firmware, and configuration metadata that an operator would recognize as inventory fields, and that an attacker would recognize as the first step in matching a target relay to a known firmware exploit or configuration weakness.
This is not a code execution or a direct trip manipulation flaw. It is an information disclosure issue. The severity is not in the read operation itself but in what the read enables. In an OT kill chain, precise device fingerprinting shortens the reconnaissance phase and lets an adversary select firmware specific attack tooling before touching the relay in a way that would generate alarms. Protection relay firmware and model data are exactly the fields that gate whether a follow on attack is viable.
OT Impact and Compliance Risk
The Px40 series sits at the protection layer of the substation. These relays decide when to open a breaker to clear a fault. If an adversary maps the relay population through SNMP disclosure and then pivots to a firmware or protocol level attack, the physical outcomes are misoperation, failure to trip on a real fault, or spurious tripping that removes healthy feeders from service. On EHV and HV assets, either failure mode carries cascading risk to the wider transmission network.
For NERC CIP registered entities, exposed SNMP services on BES Cyber Systems create findings under CIP-007 for ports and services management and CIP-005 for electronic security perimeter enforcement. The information leak also undercuts CIP-011 information protection expectations, since device identification data is precisely the kind of information the standard aims to keep out of adversary hands. Under IEC 62443, the exposure maps to failures in system hardening (SR 1.1 and SR 1.2 for authentication and authorization) and network segmentation controls at the zone and conduit boundary. Utilities operating under water sector obligations should treat this as a template for how a low severity read primitive still degrades the AWIA 2018 risk and resilience posture when the same relay families appear in pump and treatment SCADA.
Compensating Controls
Do not rely on the vendor firmware update as the only action. Substation maintenance windows are scarce and relay firmware changes require protection engineering review and possible retesting of trip settings.
- Disable the SNMP agent on the relay if network management does not require it. Many deployments enable SNMP by default and never poll it.
- If SNMP is required, restrict it to SNMPv3 with authentication and encryption and remove any default or public community strings.
- Enforce access control lists at the switch and firewall so only the designated network management station can reach UDP 161 on the relay. Block SNMP at every zone conduit that does not carry legitimate management traffic.
- Deploy passive detection rather than active scanning. Active scans of protection relays can disrupt or brick industrial components, and SNMP walks against a busy relay CPU can degrade protection response timing.
- Author a Suricata rule concept that alerts on SNMP GET requests to relay IP ranges originating from any host other than the sanctioned management station, which functions as a virtual patch by surfacing unauthorized enumeration before it becomes reconnaissance.
Prioritize segmentation and ACL enforcement first, since those controls contain the exposure immediately without a firmware change or an outage.
BreachSpider Intel
BreachSpider tracks CVE-2026-4832 and the broader Easergy relay exposure surface across 25,000+ ICS CVEs so OT teams can monitor affected assets without active scanning.