Cyber Resilience

CVE-2026-6866

HighUpdated

Published: 12 May 2026

Published
12 May 2026
Modified
24 June 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6866 is a high-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Schneider-Electric Ecostruxure Panel Server Pas400 Firmware. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 20.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could cause unauthorized disclosure of sensitive information when credentials revert to initial settings in rare circumstances, enabling unauthorized authentication using known credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Directly enables use of default/initial credentials for unauthorized authentication due to insecure defaults reverting in rare cases.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

schneider-electric
ecostruxure panel server pas400 firmware
≤ 002.006.000
schneider-electric
ecostruxure panel server pas600 firmware
≤ 002.006.000
schneider-electric
ecostruxure panel server pas600v2 firmware
≤ 002.006.000
schneider-electric
ecostruxure panel server pas800 firmware
≤ 002.006.000
schneider-electric
ecostruxure panel server pas800v2 firmware
≤ 002.006.000

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-1188

Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines.

addresses: CWE-1188

Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults.

addresses: CWE-1188

Requiring explicit configuration to minimal functionality overrides insecure defaults that would otherwise enable excess capabilities.

addresses: CWE-1188

Tailoring replaces or augments insecure default initializations with system-specific values and compensating controls before deployment.

addresses: CWE-1188

Central configuration overrides or replaces insecure default initializations that would otherwise be left unchanged on each system.

addresses: CWE-1188

SCRM practices during acquisition and configuration management address insecure default initializations shipped by vendors.

addresses: CWE-1188

Scans detect resources initialized with insecure defaults that create exploitable conditions.

addresses: CWE-1188

Instruction on secure initialization of security controls prevents leaving resources with insecure defaults after installation.

References