The Cybersecurity and Infrastructure Security Agency (CISA) published an industrial control systems advisory on June 18, 2026, cataloged as icsa-26-169-07, documenting a vulnerability across a broad set of Schneider Electric products. The advisory records the issue as CVE-2026-4827 and classifies it under CWE-331, Insufficient Entropy. The affected portfolio listed in the advisory spans the Easergy MiCOM protection-relay family, EcoStruxure Power Automation and Power Operation software, PowerLogic protection relays and platforms, the Easergy C5, and the Saitel DP and EasyLogic T150 product lines. CISA assigns the vulnerability a CVSS version 3.1 base score of 8.3 with a severity of HIGH.

According to the advisory, the products are deployed worldwide and are used in the Chemical, Critical Manufacturing, Energy, and Water and Wastewater critical infrastructure sectors, with the vendor headquartered in France. The advisory describes the underlying weakness in terms of how the affected devices and software manage session security, framing the consequence as a path to unauthorized access for an attacker positioned on the network.

"CWE-331 Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit weaknesses in session‑management protections."— CISA, source

How the advisory scores the flaw

The advisory records a single CVSS metric set for CVE-2026-4827. Under CVSS version 3.1, it lists a base score of 8.3 with a severity of HIGH and the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L. The network attack vector (AV:N) recorded in that vector is consistent with the advisory's description of an attacker on the network exploiting session-management weaknesses, while the user-interaction element (UI:R) and the low availability impact (A:L) are also reflected in the recorded vector. The advisory attributes the reporting of the vulnerability to Schneider Electric CPCERT.

The advisory is a republication. Its revision history records an original release date of 2026-05-12 and a second revision on 2026-06-18 described as the initial CISA republication of Schneider Electric CPCERT advisory SEVD-2026-132-02. The advisory includes a conversion disclaimer stating that the document is a verbatim republication produced from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory, republished to increase visibility and provided on an "as-is" basis.

Affected versions and remediations listed

The advisory enumerates a long list of affected version ranges and corresponding fixed versions. Among the products listed as affected are Easergy MiCOM C264 versions D7.33 and prior, EcoStruxure Power Automation System Gateway version 6.4.616.200.100 and prior, EcoStruxure Power Automation System User Interface version 3.0.3 and prior, EcoStruxure Power Operation 2022 CU6 and prior and 2024 CU2 and prior, PowerLogic P5 Protection Relay V02.502.103 and prior, PowerLogic P7 Protection and Control Platform V02.002.002 and prior, PowerLogic T300 version 2.9.4 and prior, PowerLogic T500 version 11.08.02 and prior, and Easergy C5 version 1.1.17 and prior. The advisory also lists the Easergy MiCOM P40 Series with the Protocol Option bit as G, H or L across all firmware versions as affected.

For remediation, the advisory states that specific fixed versions are available per product. Examples it lists include version D7.34 of MiCOM C264, version 1.1.18 of Easergy C5, version 6.4.610.500.101 of the EPAS Gateway, version 3.0.4 of EPAS-UI, EcoStruxure Power Operation 2022 CU7 and 2024 CU3, PowerLogic P5 version V02.503.101, PowerLogic P7 version V02.003.001, PowerLogic T300 version 2.9.5, and PowerLogic T500 version 11.08.03. The advisory notes that several of these fixes require a reboot to complete the upgrade and directs customers to contact Schneider Electric's Customer Care Center for distribution.

For products without a fix at the time of publication, including certain Easergy MiCOM P30 and P40 Series models, the advisory states that Schneider Electric is establishing a remediation plan and lists interim mitigations. Per the advisory, these include ensuring the device operates within a physically or logically segmented internal network with access controlled by firewalls and intrusion detection systems, and reducing the "Minimum inactivity period" using the CAE tool to shorten session timeout durations and minimize the risk of unauthorized access due to inactive sessions. The advisory adds CISA's standard recommended practices, including minimizing internet exposure of control system devices and placing them behind firewalls isolated from business networks, and directs readers to Schneider Electric's cybersecurity support portal for further detail.

Scope across protection-relay and power-automation lines

The breadth of the affected list is a defining feature of the advisory. Beyond the products named above, the advisory records numerous additional Easergy MiCOM models within the affected range, including the P138, P139, P437, P439, P532, P539, P631, P632, P633, P634, P638, P436, P438, and C434, along with the EcoStruxure Power Operation cumulative-update releases and the iPMFLS product at version 64.2025.0.13 and prior. The advisory also lists the Saitel DP at version 11.06.36 and prior and the EasyLogic T150, formerly Saitel DR, at version 11.06.30 and prior. The common thread across all of these entries, as recorded in the advisory, is the single CVE-2026-4827 identifier and the CWE-331 insufficient-entropy classification.

Because the products span four critical infrastructure sectors named in the advisory, the affected equipment includes protection relays and power-automation components used in electrical substations and industrial facilities. The advisory's summary section additionally references the PowerChute Serial Shutdown product, describing it as UPS management software, and states that failure to apply the remediation could risk improper input validation resulting in disruption of operations and access to system data. For asset owners, the advisory functions as a consolidated reference mapping each affected product line to its specific affected version range and, where available, the corresponding fixed version, alongside the interim segmentation and session-timeout mitigations CISA and the vendor list for products still awaiting a fix.