CISA flags Schneider Panel Server credential reset flaw
The fix is straightforward, but the required reboot makes this a scheduled outage item, not a casual firmware errand.
TL;DR
CISA issued ICSA-26-160-03 for CVE-2026-6866, a CVSS 7.5 vulnerability in Schneider Electric EcoStruxure Panel Server PAS400, PAS600, PAS600V2, PAS800 and PAS800V2 versions 002.005.000 and earlier. Version 002.006.000 fixes the insecure-default condition, which can allow unauthorized authentication using known credentials and expose sensitive information. Operators in commercial facilities, critical manufacturing and energy should plan the reboot required by the firmware update.
CISA’s advisory is a patch-and-schedule item. Schneider Electric says EcoStruxure Panel Server PAS400, PAS600, PAS600V2, PAS800 and PAS800V2 units running 002.005.000 and earlier can revert credentials to initial settings in rare circumstances, enabling unauthorized authentication with known credentials and disclosure of sensitive information. Firmware 002.006.000 is available for each affected model, and Schneider lists a reboot as required. For contractors and critical-infrastructure operators using these gateways in energy, manufacturing or commercial facility environments, the practical work is inventory first, then a maintenance window. The advisory does not give a temporary workaround beyond standard industrial-control isolation guidance, so unpatched exposed devices remain the problem to remove.
Published ·Deep Fathom