PatchSiren cyber security CVE debrief
CVE-2025-9997 Schneider Electric CVE debrief
Schneider Electric has disclosed a command injection vulnerability affecting Saitel DR and Saitel DP remote terminal units. According to the advisory, the issue can let a user inject OS commands in BLMon when operating in an SSH session. The vendor provides fixed firmware and recommends restricting access, enforcing least privilege, and limiting SSH exposure while upgrades are planned.
- Vendor
- Schneider Electric
- Product
- Unknown
- CVSS
- MEDIUM 6.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-18
- Original CVE updated
- 2025-09-18
- Advisory published
- 2025-09-18
- Advisory updated
- 2025-09-18
Who should care
Industrial control system operators, OT administrators, and security teams responsible for Schneider Electric Saitel DR RTU and Saitel DP RTU deployments—especially environments that allow SSH access to the devices or use BLMon for operational tasks.
Technical summary
The source advisory identifies CWE-78 (Improper Neutralization of Special Elements used in an OS Command) in BLMon on Schneider Electric Saitel DR RTU and Saitel DP RTU. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L (CVSS 3.1 score 6.6, Medium). The advisory states the flaw can cause command injection in the operating system console during an SSH session. Remediation includes Saitel DR firmware 11.06.30 (fix for versions 11.06.29 and prior) and Saitel DP firmware 11.06.34 (fix for versions 11.06.33 and prior), with a reboot required to complete the upgrade.
Defensive priority
Medium. The score is Moderate and the vector indicates local access and limited privileges are required, but the impact is meaningful for OT devices that expose SSH or administrative workflows. Prioritize if these RTUs are reachable or if BLMon is used operationally.
Recommended defensive actions
- Apply the vendor fix as soon as operationally feasible: Saitel DR firmware 11.06.30 or later, and Saitel DP firmware 11.06.34 or later.
- Plan for the required reboot and validate the upgrade in a test or offline environment before deployment.
- Back up device configurations and establish a rollback plan before patching.
- Restrict BLMon access to a limited set of approved user roles.
- Assign users the least privileged role that still allows their duties.
- Implement firewall rules to restrict SSH connections to the device.
- Minimize network exposure for control system devices and keep them off the Internet.
- When remote access is required, use secure methods such as VPNs and keep them updated; do not treat VPNs as a complete trust boundary failure control alone.
Evidence notes
All substantive facts in this debrief come from the supplied CISA CSAF advisory data for ICSA-25-261-03 / CVE-2025-9997 and the vendor remediation entries embedded in that source. The source states the vulnerability is a CWE-78 command injection issue in BLMon over SSH, lists the fixed firmware versions for Saitel DR and Saitel DP, and provides mitigation guidance. Supplied enrichment does not mark this CVE as KEV or associated with ransomware. Published and modified dates were taken from the provided timeline fields (2025-09-18T06:00:00Z).
Official resources
-
CVE-2025-9997 CVE record
CVE.org
-
CVE-2025-9997 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2025-9997 and the source advisory were published on 2025-09-18. No KEV date was supplied in the provided corpus. This debrief is based only on the supplied advisory content and official links; it does not treat generation time as the CV