CISA Warns of Hard-Coded Credentials Vulnerability in Schneider Electric Easergy MiCOM Relays
CISA has issued an advisory for a hard-coded credentials vulnerability in Schneider Electric's Easergy MiCOM Px40 Series protection relays, potentially exposing device identification data.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory detailing a significant vulnerability affecting Schneider Electric's Easergy MiCOM Px40 Series of protection relays. The flaw, identified as CVE-2026-4832, stems from the use of hard-coded credentials, a common security weakness categorized under CWE-798. This vulnerability could allow unauthenticated attackers to gain unauthorized access to basic device identification information by interrogating the device's Simple Network Management Protocol (SNMP) port.
Schneider Electric, a global manufacturer of industrial automation and energy management solutions, has acknowledged the vulnerability. The Easergy MiCOM Px40 series are critical components used in medium, high, and extra-high voltage protection systems within the energy and critical manufacturing sectors. The potential exposure of device identification data, while not directly leading to system compromise, could provide attackers with valuable reconnaissance information for planning more targeted attacks.
The vulnerability impacts a wide range of firmware versions across numerous models within the Easergy MiCOM Px40 product line. Affected devices include various P14x, P24x, P341, P342-P345, P442-P444, P443-P546, P841, P643, P642-P645, P741-P743, P746, and P849 series relays, with specific firmware versions prior to certain releases being susceptible. The advisory lists all affected product lines and their corresponding vulnerable firmware ranges, emphasizing the broad scope of potential exposure.
The Common Vulnerability Scoring System (CVSS) version 3.1 assigns a base score of 5.3 to this vulnerability, categorizing it as 'MEDIUM' severity. The vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N indicates that the attack vector is network-based, the attack complexity is low, there are no privileges required, no user interaction is needed, the scope is unchanged, and it results in a low impact on confidentiality, with no impact on integrity or availability. Despite the medium severity, the widespread deployment of these devices in critical infrastructure makes any vulnerability a serious concern.
Schneider Electric has outlined several mitigation strategies to reduce the risk of exploitation. For customers who do not require SNMP functionality, the primary recommendation is to upgrade the firmware to a version that removes SNMP capabilities. If SNMP is necessary, or if immediate firmware upgrades are not feasible, organizations are urged to implement immediate mitigations. These include isolating the affected relays within a protected network environment, employing firewalls to segment the control system network from other networks, and utilizing Virtual Private Networks (VPNs) for any required remote access.
CISA strongly recommends that organizations follow general cybersecurity best practices for industrial control systems. These include locating control system networks behind firewalls, isolating them from business networks, and implementing physical security controls to prevent unauthorized access. Minimizing network exposure for all control system devices and ensuring they are not accessible from the internet are also crucial steps. When remote access is necessary, secure methods like VPNs should be employed, ensuring that VPNs themselves are kept updated and secure.
CPCERT initially reported this vulnerability to CISA. Schneider Electric provides further assistance through its Customer Care Center and Industrial Cybersecurity Services, guiding customers through the process of applying patches and mitigations. The company also offers a comprehensive document on Recommended Cybersecurity Best Practices for further guidance on securing their installations.
This advisory highlights the ongoing challenges in securing operational technology (OT) environments, where legacy systems and specific protocols like SNMP can present unique security risks. The presence of hard-coded credentials in critical infrastructure components underscores the need for continuous vigilance, regular security audits, and prompt application of vendor-provided security updates and mitigations.