Schneider Electric EcoStruxure Panel Server

Summary

Schneider Electric has disclosed a vulnerability in its EcoStruxure Panel Server product, identified as CVE-2026-6866. This flaw, categorized as 'Initialization of a Resource with an Insecure Default', could allow unauthorized authentication and access to sensitive information if credentials revert to initial settings. The vulnerability affects multiple versions of the PAS800, PAS800V2, PAS600, PAS600V2, and PAS400 models. A fix is available in version 002.006.000.

Full text

ICS Advisory Schneider Electric EcoStruxure Panel Server Release DateJune 09, 2026 Alert CodeICSA-26-160-03 Related topics: Industrial Control System Vulnerabilities , Industrial Control Systems View CSAF Summary Schneider Electric is aware of its vulnerability in its EcoStruxure Panel Server offer. The EcoStruxure Panel Server is a high performance, modular gateway with enhanced cybersecurity that provides easy and fast connections to multiple concurrent edge control or cloud applications. Failure to apply the remediations provided below may risk unauthorized authentication, which could lead to access to sensitive information. The following versions of Schneider Electric EcoStruxure Panel Server are affected: EcoStruxure Panel Server PAS800 vers:intdot/<=002.005.000 EcoStruxure Panel Server PAS800 vers:intdot/=002.006.000 EcoStruxure Panel Server PAS800V2 vers:intdot/<=002.005.000 EcoStruxure Panel Server PAS800V2 vers:intdot/=002.006.000 EcoStruxure Panel Server PAS600 vers:intdot/<=002.005.000 EcoStruxure Panel Server PAS600 vers:intdot/=002.006.000 EcoStruxure Panel Server PAS600V2 vers:intdot/<=002.005.000 EcoStruxure Panel Server PAS600V2 vers:intdot/=002.006.000 EcoStruxure Panel Server PAS400 vers:intdot/<=002.005.000 EcoStruxure Panel Server PAS400 vers:intdot/=002.006.000 CVSS Vendor Equipment Vulnerabilities v3 7.5 Schneider Electric Schneider Electric EcoStruxure Panel Server Initialization of a Resource with an Insecure Default Background Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: France Vulnerabilities Expand All + CVE-2026-6866 CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could cause unauthorized disclosure of sensitive information when credentials revert to initial settings in rare circumstances, enabling unauthorized authentication using known credentials View CVE Details Affected Products Schneider Electric EcoStruxure Panel Server Vendor:Schneider Electric Product Version:EcoStruxure Panel Server PAS800 Versions 002.005.000 and prior, EcoStruxure Panel Server PAS800V2 Versions 002.005.000 and prior, EcoStruxure Panel Server PAS600 Versions 002.005.000 and prior, EcoStruxure Panel Server PAS600V2 Versions 002.005.000 and prior, EcoStruxure Panel Server PAS400 Versions 002.005.000 and prior Product Status:fixed, known_affected Remediations Vendor fixVersion 002.006.000 of EcoStruxure Panel Server includes a fix for this vulnerability and is available for download here: • https://www.se.com/ww/en/download/document/PAS800_Fir mware_Package/ • Reboot needed: Yeshttps://www.se.com/ww/en/download/document/PAS800_Firmware_Package/ Vendor fixVersion 002.006.000 of EcoStruxure Panel Server includes a fix for this vulnerability and is available for download here: • https://www.se.com/ww/en/download/document/PAS800V2_F irmware_Package/ • Reboot needed: Yeshttps://www.se.com/ww/en/download/document/PAS800V2_Firmware_Package/ Vendor fixVersion 002.006.000 of EcoStruxure Panel Server includes a fix for this vulnerability and is available for download here: • https://www.se.com/ww/en/download/document/PAS600_Fir mware_Package/ • Reboot needed: Yeshttps://www.se.com/ww/en/download/document/PAS600_Firmware_Package/ Vendor fixVersion 002.006.000 of EcoStruxure Panel Server includes a fix for this vulnerability and is available for download here: • https://www.se.com/ww/en/download/document/PAS600V2_ Firmware_Package/ • Reboot needed: Yeshttps://www.se.com/ww/en/download/document/PAS600V2_Firmware_Package/ Vendor fixVersion 002.006.000 of EcoStruxure Panel Server includes a fix for this vulnerability and is available for download here: • https://www.se.com/ww/en/download/document/PAS400_Fir mware_Package/ • Reboot needed: Yeshttps://www.se.com/ww/en/download/document/PAS400_Firmware_Package/ Relevant CWE: CWE-1188 Initialization of a Resource with an Insecure Default Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Acknowledgments Schneider Electric CPCERT reported this vulnerability to CISA. A Schneider Electric Partner reported this vulnerability to Schneider Electric. General Security Recommendations We strongly recommend the following industry cybersecurity best practices. * Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. * Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks. * Place all controllers in locked cabinets and never leave them in the “Program” mode. * Never connect programming software to any network other than the network intended for that device. * Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks. * Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation. * Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices. For more information refer to the Schneider Electric [Recommended Cybersecurity Best Practices](https://www.se.com/us/en/download/document/7EN52-0390/) document. For More Information This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process. For further information related to cybersecurity in Schneider Electric's products, visit the company's cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp LEGAL DISCLAIMER THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS “NOTIFICATION”) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION About Schneider Electric Schneider's purpose is to create Impact by empowering all to make the most of our energy and resources, bridging progress and sustainability for all. We call this Life Is On. Our mission is to be the trusted partner in Sustainability and Efficiency. We are a global industria

Indicators of Compromise

• cve — CVE-2026-6866

Entities