Schneider Electric patches three flaws in PowerLogic P7 grid protection gear

The most serious bug lets an unauthenticated attacker knock the device's control screen offline. A firmware update is out.

ThreatVectr Newsdesk· 3 min read
Full-frame 16:9 photoreal editorial shot of an electrical substation control cabinet at dusk, rows of protection relays with small status LEDs glowing amber and
Share

Key points

  • Schneider Electric disclosed three vulnerabilities in its PowerLogic P7 protection and control platform, used in electrical networks worldwide.
  • The highest-rated flaw, CVE-2026-9716, scores 7.5 out of 10 and can crash the device's control interface remotely without a login.
  • A second flaw, CVE-2026-9717, could let a logged-in attacker run commands with elevated privileges on the device.
  • Firmware version V02.004.001 fixes all three issues and is available from Schneider Electric's Customer Care Center.
  • The vulnerabilities were found by researchers at Cytrics and reported through Schneider Electric's CPCERT team to CISA.

Schneider Electric has fixed three security bugs in the PowerLogic P7, a piece of equipment that sits inside electrical substations and helps protect the grid from faults. The disclosure came through CISA, the US Cybersecurity and Infrastructure Security Agency, which publishes advisories for industrial gear.

The P7 is what engineers call a protection relay. It watches the current flowing through power lines and trips breakers when something goes wrong. It runs in commercial buildings, factories and energy sites around the world.

All three flaws affect PowerLogic P7 firmware version 0.2.003.001.000 and earlier.

What can an attacker actually do?

The worst of the three, tracked as CVE-2026-9716, lets someone on the same network send a malformed request that crashes the device's human-machine interface — the screen and controls operators use to configure it. No password is needed. The device keeps protecting the circuit, but staff lose the ability to see or change its settings until it is rebooted. Schneider rates it 7.5 out of 10 on the standard severity scale.

The second bug, CVE-2026-9717, is a command injection flaw. That means an attacker who already has a privileged login can smuggle operating-system commands into a request the device trusts, and run them with high privileges. Rated 7.2. It hits confidentiality, integrity and availability.

The third, CVE-2026-9718, is a lower-severity denial-of-service issue that also needs an authenticated attacker. It scores 4.9.

All three sit on network services the device exposes — ports 8080 and 3702 — and involve SOAP requests, a common way applications talk to each other over the web, sent to a component called wsApp.

Is this being exploited?

There is no public evidence of exploitation in the wild. The bugs were reported privately to Schneider Electric by researchers at Cytrics, and Schneider's own CPCERT team passed them to CISA. That is the normal coordinated disclosure route for industrial kit.

Schneider has not attributed any activity to a specific group, and neither has CISA. Worth noting: industrial protection relays have been of interest to state-linked crews before, including the Sandworm cluster (Mandiant's naming) tied to Russia's GRU, which has repeatedly targeted Ukrainian electricity infrastructure. Nothing in this advisory links the P7 bugs to that activity. Capability is not the same as intent.

What should operators do?

Schneider's fix is firmware version V02.004.001, available through the company's Customer Care Center. Installing it requires a reboot of the device.

For sites that cannot patch immediately, Schneider recommends:

  • Restricting network access to ports 8080 and 3702 on P7 devices.
  • Watching for unusual SOAP traffic aimed at the wsApp component.
  • Keeping administrative accounts tightly scoped, so a stolen password does not hand an attacker the command-injection bug.

The broader advice from Schneider — and from every industrial cyber guideline of the past decade — is that this kind of equipment should never be reachable from the open internet. It belongs behind firewalls, on isolated networks, with remote access only through a VPN that is itself kept up to date.

Ordinary customers of utilities do not need to do anything. This is a job for the engineering teams that run substations.

© 2026 Threat Vectr