A high-severity OS command injection vulnerability in Schneider PowerLogic P7 devices allows privileged attackers to execute unauthorized commands, threatening system integrity.

This is an OS command injection vulnerability (CWE-78) triggered when a privileged authenticated user interacts with a network-exposed service. The flaw allows the injection of malicious system commands that execute with elevated permissions.

The CVSS score of 8.6 reflects the critical impact of command injection on industrial control systems. Unauthorized execution of system commands can lead to full device compromise, loss of confidentiality regarding operational data, and potential disruption of power management functions, posing significant operational and safety risks.

Immediate Action: Update the affected PowerLogic P7 firmware to the latest version provided by Schneider Electric to neutralize the command injection vector.

Proactive Monitoring: Monitor device audit logs for unusual command execution patterns or unexpected system-level configuration changes.

Compensating Controls: Enforce strict access control policies to ensure only minimal, necessary privileges are assigned to service accounts, reducing the impact of a compromised account.

Public Exploit Available: false

While this vulnerability requires authenticated access, the ability to escalate commands to the system level necessitates a high-priority response. IT and OT security teams must ensure that firmware updates are tested and deployed rapidly to maintain the integrity of the PowerLogic environment.