Executive Summary

CVE-2026-4832 permits unauthorized retrieval of basic device identification data from Schneider Electric Easergy MiCOM Px40 series protection relays through the SNMP service. The relays perform protection functions across Medium, High, and Extra High Voltage substation feeders, so the disclosure feeds reconnaissance that precedes attacks against equipment that directly governs breaker trip logic and fault isolation.

Technical Exposure Breakdown

The vulnerable component is the SNMP agent embedded in the Px40 firmware. SNMP on these relays is used for network management integration, health polling, and asset inventory functions in substation automation networks. The flaw allows an actor with network reachability to the SNMP port to enumerate device identification objects without proper authorization controls in place.

The attack vector is network adjacent. An adversary needs a path to the relay management interface, which in practice means access to the station bus, the substation LAN, or any flat network segment where SNMP polling traffic transits. The disclosed data set is described as basic device identification. That includes model, firmware, and configuration metadata that an operator would recognize as inventory fields, and that an attacker would recognize as the first step in matching a target relay to a known firmware exploit or configuration weakness.

This is not a code execution or a direct trip manipulation flaw. It is an information disclosure issue. The severity is not in the read operation itself but in what the read enables. In an OT kill chain, precise device fingerprinting shortens the reconnaissance phase and lets an adversary select firmware specific attack tooling before touching the relay in a way that would generate alarms. Protection relay firmware and model data are exactly the fields that gate whether a follow on attack is viable.

OT Impact and Compliance Risk

The Px40 series sits at the protection layer of the substation. These relays decide when to open a breaker to clear a fault. If an adversary maps the relay population through SNMP disclosure and then pivots to a firmware or protocol level attack, the physical outcomes are misoperation, failure to trip on a real fault, or spurious tripping that removes healthy feeders from service. On EHV and HV assets, either failure mode carries cascading risk to the wider transmission network.

For NERC CIP registered entities, exposed SNMP services on BES Cyber Systems create findings under CIP-007 for ports and services management and CIP-005 for electronic security perimeter enforcement. The information leak also undercuts CIP-011 information protection expectations, since device identification data is precisely the kind of information the standard aims to keep out of adversary hands. Under IEC 62443, the exposure maps to failures in system hardening (SR 1.1 and SR 1.2 for authentication and authorization) and network segmentation controls at the zone and conduit boundary. Utilities operating under water sector obligations should treat this as a template for how a low severity read primitive still degrades the AWIA 2018 risk and resilience posture when the same relay families appear in pump and treatment SCADA.

Compensating Controls

Do not rely on the vendor firmware update as the only action. Substation maintenance windows are scarce and relay firmware changes require protection engineering review and possible retesting of trip settings.

Prioritize segmentation and ACL enforcement first, since those controls contain the exposure immediately without a firmware change or an outage.

BreachSpider Intel

BreachSpider tracks CVE-2026-4832 and the broader Easergy relay exposure surface across 25,000+ ICS CVEs so OT teams can monitor affected assets without active scanning.