CVE-2025-9996 is an OS command injection vulnerability (CWE-78) identified in Schneider Electric's Saitel DR RTU product. The vulnerability arises due to improper neutralization of special elements in OS commands executed via the BLMon Console during an SSH session. Specifically, when a user executes the 'netstat' command through the BLMon Console, the input is not properly sanitized, allowing an attacker with limited privileges (low-level privileges) to inject arbitrary shell commands. This could lead to the execution of any shell command on the underlying operating system. The vulnerability affects all versions of the Saitel DR RTU product. The CVSS 4.0 base score is 5.8 (medium severity), with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), partial attack complexity (AT:P), requiring low privileges (PR:L), no user interaction (UI:N), and high impact on confidentiality (VC:H), low impact on integrity (VI:L) and availability (VA:L). The vulnerability does not require user interaction but does require an attacker to have an SSH session with at least low privileges, which suggests that initial access or credential compromise is a prerequisite. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability could allow an attacker to execute arbitrary commands, potentially leading to unauthorized data disclosure or limited system manipulation. Given the nature of the product—a Remote Terminal Unit (RTU) used in industrial control systems—this vulnerability poses a risk to operational technology environments, especially in critical infrastructure sectors where Schneider Electric products are deployed.

For European organizations, especially those operating in critical infrastructure sectors such as energy, utilities, manufacturing, and transportation, this vulnerability presents a significant risk. The Saitel DR RTU is likely deployed in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) environments. Exploitation could lead to unauthorized command execution, potentially allowing attackers to disrupt monitoring and control functions, exfiltrate sensitive operational data, or prepare for further attacks on industrial processes. The high confidentiality impact indicates that sensitive operational data could be exposed, which might include network topology, system configurations, or operational parameters. Although the integrity and availability impacts are rated low, even limited manipulation or disruption in ICS environments can have outsized consequences, including safety risks and operational downtime. European organizations with RTUs in critical infrastructure should consider this vulnerability a medium risk but with potential for escalation if combined with other vulnerabilities or attack vectors. The requirement for local access via SSH limits remote exploitation but does not eliminate risk, as attackers who gain initial foothold through phishing, credential theft, or insider threats could leverage this vulnerability to escalate privileges or move laterally within networks.

1. Immediate mitigation should focus on restricting SSH access to the BLMon Console to trusted administrators only, using network segmentation and strict access control lists (ACLs). 2. Implement multi-factor authentication (MFA) for SSH sessions to reduce the risk of credential compromise. 3. Monitor SSH sessions and command executions for anomalous behavior indicative of command injection attempts. 4. Employ host-based intrusion detection systems (HIDS) on RTU devices to detect unusual shell command executions. 5. Until a patch is available, consider disabling or restricting the use of the netstat command via the BLMon Console if operationally feasible. 6. Conduct thorough credential audits and rotate passwords for accounts with SSH access to the RTUs. 7. Apply network-level protections such as firewall rules to limit access to RTUs from only authorized management stations. 8. Engage with Schneider Electric for updates and patches, and plan for timely deployment once available. 9. Incorporate this vulnerability into incident response plans, ensuring readiness to detect and respond to exploitation attempts.