CVE-2025-9997 is an OS Command Injection vulnerability (CWE-78) identified in Schneider Electric's Saitel DR RTU product. The vulnerability arises from improper neutralization of special elements used in operating system commands within the BLMon component, which executes commands in the OS console during an SSH session. This flaw allows an attacker with low-level privileges and partial authentication to inject arbitrary OS commands, potentially leading to unauthorized command execution on the affected device. The vulnerability affects all versions of the Saitel DR RTU product. The CVSS v4.0 base score is 5.8 (medium severity), with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), partial authentication required (AT:P), low privileges (PR:L), no user interaction (UI:N), and high impact on confidentiality (VC:H), with low impact on integrity (VI:L) and availability (VA:L). The vulnerability does not require user interaction and does not involve scope or security property changes beyond the affected component. No known exploits are currently in the wild, and no patches have been published yet. The vulnerability is significant because Saitel DR RTU devices are used in industrial control systems (ICS) and critical infrastructure environments, where unauthorized command execution could disrupt operations or lead to further compromise. The exploitation requires SSH access with some authentication, but the low privilege level and lack of user interaction increase the risk if attackers gain initial access to the network segment hosting these devices.

For European organizations, particularly those operating critical infrastructure such as energy grids, water treatment, and industrial automation, this vulnerability poses a moderate risk. Successful exploitation could allow attackers to execute arbitrary commands on Saitel DR RTU devices, potentially leading to unauthorized data access, manipulation of control processes, or disruption of industrial operations. Given the high confidentiality impact, sensitive operational data could be exposed. Although the integrity and availability impacts are rated low, even limited disruption or unauthorized command execution in ICS environments can have cascading effects on safety and operational continuity. The requirement for partial authentication and local access reduces the likelihood of remote exploitation but does not eliminate risk, especially if attackers gain foothold through lateral movement or compromised credentials. European organizations relying on Schneider Electric's Saitel DR RTU should consider this vulnerability seriously due to the strategic importance of industrial control systems in national infrastructure and the potential for targeted attacks.

1. Restrict SSH access to Saitel DR RTU devices strictly to trusted administrators and management networks using network segmentation and access control lists (ACLs). 2. Implement multi-factor authentication (MFA) for SSH access to reduce the risk of credential compromise. 3. Monitor SSH sessions and command executions on these devices for anomalous activity indicative of command injection attempts. 4. Employ strict input validation and sanitization at the application level where possible, and liaise with Schneider Electric for timely patches or firmware updates addressing this vulnerability. 5. Conduct regular vulnerability assessments and penetration testing focused on ICS environments to detect exploitation attempts. 6. Maintain up-to-date asset inventories to quickly identify affected devices and prioritize remediation. 7. Use intrusion detection/prevention systems (IDS/IPS) tuned for ICS protocols and behaviors to detect lateral movement or exploitation attempts. 8. Prepare incident response plans specific to ICS compromise scenarios to minimize operational impact if exploitation occurs.