Schneider Electric Quantum Ethernet Module Hard-Coded Credentials

Low RiskICS-CERT ICSA-12-018-01BOct 21, 2012

Schneider ElectricEnergyManufacturing

Summary

Multiple Schneider Electric Quantum Ethernet modules and network interface cards contain hard-coded credentials that cannot be changed or disabled. The affected devices include STBNIC2212, STBNIP series, BMXP342 modules, 140NOE Ethernet bridges, 140CPU controllers, 140NOC modules, TSX series controllers and Ethernet adapters, and BMXNOE/BMXNOC modules. An attacker with network access to any of these modules could use the embedded credentials to gain administrative access and modify PLC logic or configuration. Schneider Electric has not released firmware updates for any affected product.

What this means

What could happen

An attacker with network access to an affected Schneider Electric Quantum Ethernet module could log in using hard-coded credentials, allowing them to read sensitive configuration data, modify PLC logic, or disrupt control operations in energy facilities.

Who's at risk

Energy sector operators running Schneider Electric Quantum PLC modules and Ethernet communication cards (STBNIC, STBNIP, BMXP, 140NOE, 140CPU, 140NOC, TSXETY, TSXP5, TSXETC, BMXNOE, BMXNOC series). This affects legacy automation systems in power generation, transmission, and distribution facilities, as well as any industrial process control using these controllers.

How it could be exploited

An attacker discovers the device is reachable from the network (directly or through a compromised workstation). They connect to the module's management interface and log in using known hard-coded credentials embedded in the firmware. Once authenticated, they can access and modify the PLC program, configuration, or process parameters.

Prerequisites

Network access to the Ethernet module management interface (typically port 502 or vendor-specific port)
Knowledge of hard-coded credential pairs (embedded in product firmware)
No authentication change required—credentials are factory-set and cannot be changed

Remotely exploitableHard-coded credentials embedded in firmwareNo patch available—vendor end-of-life productsAffects energy sector critical infrastructureNo authentication change possible

Exploitability

Some exploitation risk — EPSS score 7.0%

Affected products (36)

9 with fix27 EOL

ProductAffected VersionsFix Status

Modicon M340 <3.50<3.503.50

Modicon M580 <SV4.10<SV4.10SV4.10

Modicon M580 CPU Safety (part numbers BMEP58*S & BMEH58*S)<SV4.21SV4.21

Modicon RTU BMXNOR0200H <V1.7 IR24<V1.7 IR24V1.7 IR24

Modicon X80 Ethernet Communication Module <V2.11<V2.11V2.11

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to affected Ethernet modules using firewall rules or network segmentation. Block unauthorized access from engineering workstations and external networks.

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: Legacy Modicon Premium and Quantum All Versions, STBNIC2212: <=Firmware_V2.10, STBNIP2212: <=Firmware_V2.73, BMXP342020: <=Firmware_V2.2, BMXP342030: <=Firmware_V2.2, 140NOE77101: <=Firmware_V4.9, 140NOE77111: <=Firmware_V5.0, 140NOE77100: <=Firmware_V3.4, 140NOE77110: <=Firmware_V3.3, 140CPU65150: <=Firmware_V3.5, 140CPU65160: <=Firmware_V3.5, 140CPU65260: <=Firmware_V3.5, 140NOC77101: <=Firmware_V1.01, TSXETY4103: <=Firmware_V5.0, TSXETY5103: <=Firmware_V5.0, TSXP571634M: <=Firmware_V4.9, TSXP572634M: <=Firmware_V4.9, TSXP573634M: <=Firmware_V4.9, TSXP575634M: <=Firmware_V3.5, TSXP576634M: <=Firmware_V3.5, TSXETC101: <=Firmware_V1.01, BMXNOE0100: <=Firmware_V2.3, BMXNOE0110: <=Firmware_V4.65, BMXNOC0401: <=Firmware_V1.01, STBNIP2311: <=Firmware_V3.01, 140NOC77100: <=Firmware_V1.01, TSXP574634M: <=Firmware_V3.5. Apply the following compensating controls:

HARDENINGImplement air-gapping or VLAN isolation for legacy Quantum PLC networks that cannot be updated.

HARDENINGMonitor and log all connections to affected module management interfaces. Alert on authentication attempts using the hard-coded credentials.

HARDENINGInventory all Schneider Electric Quantum modules in your facility and determine if newer product models with patchable vulnerabilities are available for replacement.

CVEs (4)

CVE-2018-7241 CVE-2018-7240 CVE-2018-7242 CVE-2011-4859

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6aaec8f6-423c-4293-840e-0dbb0bbcdfd3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.