An OS command injection vulnerability (CWE-78) was discovered in multiple energy meter and monitoring devices from Janitza and Weidmueller, including the Janitza UMG 96RM-E and Weidmueller ENERGY METER 750 models running version 3.13 or earlier. Exploiting this flaw would allow an unauthenticated attacker to execute arbitrary operating system commands remotely, leading to a complete compromise of the device. Attackers could then manipulate energy consumption data, disable monitoring, or pivot deeper into the OT network.
The UK Government's recently unveiled Energy Sector Cyber Security Strategy (2026–2030) highlights that cyber activity is more rife and sophisticated than ever before. The sector is now a top target, facing challenges from: energy client patched