Schneider Electric Quantum Ethernet Module Hard-Coded Credentials
Low RiskICS-CERT ICSA-12-018-01BOct 21, 2012
Summary
Multiple Schneider Electric Quantum Ethernet modules and network interface cards contain hard-coded credentials that cannot be changed or disabled. The affected devices include STBNIC2212, STBNIP series, BMXP342 modules, 140NOE Ethernet bridges, 140CPU controllers, 140NOC modules, TSX series controllers and Ethernet adapters, and BMXNOE/BMXNOC modules. An attacker with network access to any of these modules could use the embedded credentials to gain administrative access and modify PLC logic or configuration. Schneider Electric has not released firmware updates for any affected product.
What this means
What could happen
An attacker with network access to an affected Schneider Electric Quantum Ethernet module could log in using hard-coded credentials, allowing them to read sensitive configuration data, modify PLC logic, or disrupt control operations in energy facilities.
Who's at risk
Energy sector operators running Schneider Electric Quantum PLC modules and Ethernet communication cards (STBNIC, STBNIP, BMXP, 140NOE, 140CPU, 140NOC, TSXETY, TSXP5, TSXETC, BMXNOE, BMXNOC series). This affects legacy automation systems in power generation, transmission, and distribution facilities, as well as any industrial process control using these controllers.
How it could be exploited
An attacker discovers the device is reachable from the network (directly or through a compromised workstation). They connect to the module's management interface and log in using known hard-coded credentials embedded in the firmware. Once authenticated, they can access and modify the PLC program, configuration, or process parameters.
Prerequisites
- Network access to the Ethernet module management interface (typically port 502 or vendor-specific port)
- Knowledge of hard-coded credential pairs (embedded in product firmware)
- No authentication change required—credentials are factory-set and cannot be changed
Remotely exploitableHard-coded credentials embedded in firmwareNo patch available—vendor end-of-life productsAffects energy sector critical infrastructureNo authentication change possible
Exploitability
Moderate exploit probability (EPSS 7.0%)
Affected products (26)
26 EOL
ProductAffected VersionsFix Status
STBNIC2212: <=Firmware_V2.10≤ Firmware V2.10No fix (EOL)
STBNIP2212: <=Firmware_V2.73≤ Firmware V2.73No fix (EOL)
BMXP342020: <=Firmware_V2.2≤ Firmware V2.2No fix (EOL)
BMXP342030: <=Firmware_V2.2≤ Firmware V2.2No fix (EOL)
140NOE77101: <=Firmware_V4.9≤ Firmware V4.9No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to affected Ethernet modules using firewall rules or network segmentation. Block unauthorized access from engineering workstations and external networks.
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: STBNIC2212: <=Firmware_V2.10, STBNIP2212: <=Firmware_V2.73, BMXP342020: <=Firmware_V2.2, BMXP342030: <=Firmware_V2.2, 140NOE77101: <=Firmware_V4.9, 140NOE77111: <=Firmware_V5.0, 140NOE77100: <=Firmware_V3.4, 140NOE77110: <=Firmware_V3.3, 140CPU65150: <=Firmware_V3.5, 140CPU65160: <=Firmware_V3.5, 140CPU65260: <=Firmware_V3.5, 140NOC77101: <=Firmware_V1.01, TSXETY4103: <=Firmware_V5.0, TSXETY5103: <=Firmware_V5.0, TSXP571634M: <=Firmware_V4.9, TSXP572634M: <=Firmware_V4.9, TSXP573634M: <=Firmware_V4.9, TSXP575634M: <=Firmware_V3.5, TSXP576634M: <=Firmware_V3.5, TSXETC101: <=Firmware_V1.01, BMXNOE0100: <=Firmware_V2.3, BMXNOE0110: <=Firmware_V4.65, BMXNOC0401: <=Firmware_V1.01, STBNIP2311: <=Firmware_V3.01, 140NOC77100: <=Firmware_V1.01, TSXP574634M: <=Firmware_V3.5. Apply the following compensating controls:
HARDENINGImplement air-gapping or VLAN isolation for legacy Quantum PLC networks that cannot be updated.
HARDENINGMonitor and log all connections to affected module management interfaces. Alert on authentication attempts using the hard-coded credentials.
HARDENINGInventory all Schneider Electric Quantum modules in your facility and determine if newer product models with patchable vulnerabilities are available for replacement.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6aaec8f6-423c-4293-840e-0dbb0bbcdfd3