CVE-2025-9996 is an OS command injection vulnerability (CWE-78) found in Schneider Electric's Saitel DR RTU product, affecting all versions. The vulnerability arises due to improper neutralization of special elements in user input when executing the 'netstat' command via the BLMon Console over an SSH session. Specifically, when a user with low privileges (PR:L) executes the netstat command, the input is not properly sanitized, allowing an attacker to inject arbitrary shell commands. This could lead to execution of any shell command on the underlying operating system. The vulnerability does not require user interaction (UI:N), but does require partial authentication (AT:P) with low privileges. The CVSS 4.0 base score is 5.8 (medium severity), reflecting the local attack vector (AV:L), low complexity (AC:L), partial authentication, and high impact on confidentiality, with limited impact on integrity and availability. No known exploits are currently in the wild, and no patches have been released yet. The vulnerability is significant because RTUs (Remote Terminal Units) like Saitel DR RTU are critical components in industrial control systems (ICS) and operational technology (OT) environments, often used in energy, utilities, and manufacturing sectors. Successful exploitation could allow attackers to execute arbitrary commands, potentially leading to data leakage, system manipulation, or disruption of critical infrastructure operations.

For European organizations, especially those operating in critical infrastructure sectors such as energy, water, and manufacturing, this vulnerability poses a substantial risk. The Saitel DR RTU is likely deployed in supervisory control and data acquisition (SCADA) systems that manage essential services. Exploitation could lead to unauthorized command execution, enabling attackers to manipulate system behavior, disrupt monitoring and control functions, or exfiltrate sensitive operational data. Given the partial authentication requirement, insider threats or attackers who have gained limited access could escalate their capabilities. The high confidentiality impact could expose sensitive operational data, while limited integrity and availability impacts still pose risks to system reliability. Disruptions in critical infrastructure could have cascading effects on public safety, economic stability, and regulatory compliance within the European Union and other European countries. The absence of patches increases the urgency for mitigation and monitoring.

1. Implement strict access controls and network segmentation to limit SSH access to the BLMon Console only to trusted administrators and systems. 2. Employ multi-factor authentication (MFA) for all users accessing the RTU to reduce the risk of credential compromise. 3. Monitor and log all SSH sessions and command executions on the Saitel DR RTU to detect anomalous or unauthorized command usage. 4. Use application-layer firewalls or intrusion detection/prevention systems (IDS/IPS) capable of detecting command injection patterns targeting the RTU. 5. Until a patch is available, consider disabling or restricting the use of the netstat command via the BLMon Console if operationally feasible. 6. Conduct regular security audits and vulnerability assessments of OT environments to identify and remediate similar injection flaws. 7. Establish incident response plans specific to OT environments to quickly contain and remediate exploitation attempts. 8. Engage with Schneider Electric for updates and apply patches promptly once released.