Executive Summary

Schneider Electric Easergy MiCOM Px40 Series protection relays expose basic device identification through the SNMP protocol without adequate access control, allowing an unauthenticated actor with network reach to enumerate relay identity and firmware attributes. These are the relays that trip breakers on medium, high, and extra high voltage feeders, so even a low-severity disclosure feeds directly into targeting of the assets that keep the grid inside its physical operating envelope.

Technical Exposure Breakdown

The vulnerable component is the SNMP service running on the Px40 platform, which spans the P40 Agile family used for feeder, transformer, generator, and busbar protection. The reported condition is information disclosure of basic device identification data. This is not a memory corruption or remote code execution primitive. It is a reconnaissance-grade flaw, and it should be treated as one.

The attack vector is network access to the SNMP interface, typically UDP port 161. In most substation deployments SNMP was enabled for network management system polling and never hardened. Default or weak community strings, most commonly public for read access, are still routine in the field. An actor who has reached the station bus or process bus, or who has pivoted from a compromised engineering workstation, can query the relay and pull identity fields that confirm exact model and firmware revision.

The condition required is simply reachability plus a valid or default community string. No authentication bypass is needed because SNMP v1 and v2c authenticate only on the community string, which is transmitted in cleartext and often shared across an entire fleet. That is the real exposure. The disclosed data by itself is low value. The disclosed data mapped against a vulnerability database that tracks 25,000+ ICS CVEs across 175,000+ OT products is a firmware fingerprint that lets an adversary select the next exploit with precision.

OT Impact and Compliance Risk

Nothing in this advisory causes a relay to misoperate on its own. The physical risk is second order. A protection relay that has been fingerprinted is a relay whose known weaknesses can be matched to its exact build, which shortens the path from access to manipulation of protection settings or trip logic. Misconfigured or maliciously altered protection functions can cause failure to trip on a real fault, or nuisance trips that de-energize load, both of which have direct consequences for grid stability.

For compliance, IEC 62443 zone and conduit requirements are the primary lens here. An SNMP service reachable outside its intended management conduit is a boundary failure. Under NERC CIP, this touches CIP-005 electronic security perimeter controls and CIP-007 system security management, specifically ports and services and the disabling of unused network accessible functions. An enabled SNMP service that leaks identity data is exactly the kind of unnecessary port and service that CIP-007 requires operators to justify or disable. Auditors will ask why it is on and what community strings protect it.

Compensating Controls

Do not treat firmware update as the first move. On a live substation, patching a protection relay is a scheduled maintenance activity with test procedures, not a same-day action. Active scanning to inventory affected relays is also dangerous, since aggressive SNMP polling or port sweeps can lock up or destabilize embedded protection hardware. Passive inventory and configuration review are the correct starting point.

Rotate any shared community strings and audit which hosts have ever polled these relays. A fingerprinting attempt is a strong early indicator of staged reconnaissance.

BreachSpider Intel

BreachSpider tracks exposure and exploitation signals across the OT product landscape so operators can prioritize protection relay hardening before a reconnaissance flaw becomes a targeting map.