Schneider Electric Saitel DR & Saitel DP Remote Terminal Unit

MonitorCVSS 6.6ICS-CERT ICSA-25-261-03Sep 9, 2025

Schneider ElectricEnergyTransportation

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Saitel DR RTU (versions 11.06.29 and earlier) and Saitel DP RTU (versions 11.06.33 and earlier) contain command injection vulnerabilities that allow authenticated local users to execute arbitrary shell commands. Successful exploitation could enable an attacker to run arbitrary commands on the affected RTU devices.

What this means

What could happen

An attacker with local access and limited privileges could execute arbitrary shell commands on the RTU, potentially altering process control logic, disabling remote operations, or corrupting configuration.

Who's at risk

Energy and transportation operators running Schneider Electric Saitel DR or Saitel DP Remote Terminal Units (RTUs) should assess their environment. These RTUs are typically used for remote monitoring and control in power distribution, substations, and transit systems. Any organization using these devices in a production environment with user accounts is potentially affected.

How it could be exploited

An attacker with valid credentials on the local system could bypass command restrictions through the BLMon interface or SSH access, then execute arbitrary shell commands to modify RTU behavior or access sensitive configuration data.

Prerequisites

Valid user account on the RTU (any privilege level)
Local or network access to the SSH service or BLMon interface
Schneider Electric Saitel DR RTU running version 11.06.29 or earlier, or Saitel DP RTU running version 11.06.33 or earlier

Low complexity exploitation requiredLocal or network-accessible vulnerabilityAffects critical control devices (RTUs)No patch may be immediately deployable without process interruptionDefault or weak user credentials could increase risk

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Saitel DR RTU≤ 11.06.2911.06.30

Saitel DP RTU≤ 11.06.3311.06.34

Schneider Electric Saitel DP RTU: <=11.06.33≤ 11.06.3311.06.34 (SM_CPU866e)

Schneider Electric Saitel DR RTU: <=11.06.29≤ 11.06.2911.06.30 (HUe Firmware)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict access to BLMon by assigning permissions only to a limited set of user roles with a need for that access.

WORKAROUNDApply firewall rules to restrict SSH connections to the RTU from untrusted networks.

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Saitel DR RTU

HOTFIXUpdate Saitel DR RTU firmware to version 11.06.30 or later (HUe Firmware). A reboot is required.

Saitel DP RTU

HOTFIXUpdate Saitel DP RTU firmware to version 11.06.34 or later (SM_CPU866e). A reboot is required.

All products

HARDENINGAssign users the least privileged role required to perform their designated tasks on the RTU.

Long-term hardening

0/1

HARDENINGIsolate RTU networks behind firewalls and separate them from business networks.

CVEs (2)

CVE-2025-9996 CVE-2025-9997

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5084d6fc-865e-4f11-8845-5d8be1e082f7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.