Schneider Electric Saitel DR & Saitel DP Remote Terminal Unit

Monitor6.6ICS-CERT ICSA-25-261-03Sep 18, 2025

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Saitel DR and Saitel DP Remote Terminal Units (RTUs) contain command injection vulnerabilities in the BLMon functionality that allow an attacker with local access and limited user privileges to execute arbitrary shell commands on the affected devices. Affected versions: Saitel DR RTU ≤11.06.29 and Saitel DP RTU ≤11.06.33. Both vendors have released firmware fixes available for download (Saitel DR: HUe Firmware 11.06.30; Saitel DP: SM_CPU866e 11.06.34), though deployment requires device reboot.

What this means

What could happen

An attacker with local network access and a valid user account could execute arbitrary commands on the RTU, potentially altering process setpoints, stopping communications, or disrupting remote terminal operations that control energy distribution or generation assets.

Who's at risk

Energy sector operators—particularly municipal utilities and power distribution companies—should assess whether they deploy Schneider Electric Saitel DR or Saitel DP Remote Terminal Units. RTUs are critical devices that relay telemetry and control commands between SCADA systems and field equipment (transformers, breakers, switches). An RTU compromise could disrupt load balancing, relay control commands, or prevent operator visibility into grid conditions.

How it could be exploited

An attacker with access to the local network and valid user credentials (not necessarily engineering-level) can interact with the BLMon function through SSH to the RTU and inject shell commands that execute with elevated privileges, allowing them to alter or disable device functionality.

Prerequisites

Local network access to the RTU (cannot exploit remotely from the Internet)
Valid user account on the RTU (least privilege role sufficient)
SSH access to the device (not restricted by firewall)

No authentication required for exploitation once network access gainedLow complexity attack—simple command injectionAffects critical energy infrastructure (RTU field devices)Patch deployment requires device reboot during maintenance windowDefault user roles may have unintended access to BLMon

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Schneider Electric Saitel DP RTU: <=11.06.33≤ 11.06.3311.06.34 (SM_CPU866e)

Schneider Electric Saitel DR RTU: <=11.06.29≤ 11.06.2911.06.30 (HUe Firmware)

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDRestrict BLMon access by assigning permissions only to essential user roles; audit and remove unnecessary user accounts

HARDENINGImplement firewall rules to block inbound SSH connections to the RTU except from authorized engineering workstations

HARDENINGApply principle of least privilege—ensure all users have only the minimum role required for their operational tasks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Saitel DR RTU firmware to HUe Firmware version 11.06.30 or later

HOTFIXUpgrade Saitel DP RTU firmware to SM_CPU866e version 11.06.34 or later

Long-term hardening

0/2

HARDENINGIsolate control system networks (including RTU subnets) from the business network with firewalls and DMZ architecture

HARDENINGDisable or restrict remote access to RTUs; use VPN with multi-factor authentication if remote access is required

CVEs (2)

CVE-2025-9996 CVE-2025-9997

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5084d6fc-865e-4f11-8845-5d8be1e082f7