Schneider Electric Modicon PLCs

Act Now7.5ICS-CERT ICSA-17-089-02Mar 30, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Modicon M221, M241, and M251 PLCs contain vulnerabilities related to improper cryptographic functions and weak random number generation (CWE-343, CWE-330, CWE-522). These devices use inadequate encryption mechanisms that could allow an attacker to derive or bypass security protections without proper authentication. The vulnerabilities affect multiple firmware versions across these models.

What this means

What could happen

An attacker with network access to a Modicon PLC could decrypt communications or bypass authentication protections, potentially allowing unauthorized command execution that could alter process parameters, stop operations, or cause unsafe equipment behavior.

Who's at risk

Water utilities and electrical grid operators using Modicon M221, M241, or M251 PLCs for process control (pump stations, tank level control, equipment sequencing) are affected. Any facility where these devices handle critical automation and are connected to the operational network should implement compensating controls immediately.

How it could be exploited

An attacker on the network communicates directly with the Modicon PLC over Ethernet. They exploit weak cryptographic functions to decrypt authentication credentials or bypass security checks, then send unauthorized control commands to the device without valid credentials.

Prerequisites

Network access to the Modicon PLC (Ethernet port 502 or common Modbus TCP port)
No valid credentials required
Attacker can observe or intercept network traffic to derive cryptographic keys

remotely exploitableno authentication requiredlow complexityhigh EPSS score (18.6%)no patch availableaffects automation controllers

Exploitability

High exploit probability (EPSS 18.6%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

Modicon M221: firmware< 1.5.0.0No fix (EOL)

Modicon M241: firmware< 4.0.5.11No fix (EOL)

Modicon M241: all versionsAll versionsNo fix (EOL)

Modicon M251: all versionsAll versionsNo fix (EOL)

Modicon M251: firmware< 4.0.5.11No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation to restrict access to Modicon PLCs—place them on isolated industrial networks with firewall rules allowing only authorized engineering workstations and SCADA systems

HARDENINGDeploy network monitoring and traffic filtering on the industrial network to detect and block unauthorized connections to Modicon PLC Ethernet ports

HARDENINGReview and restrict network access—disable remote management ports unless absolutely required, and use VPN or jump-host access for any remote engineering activities

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDMonitor vendor security bulletins for future firmware updates addressing these cryptographic weaknesses

CVEs (3)

CVE-2017-6030 CVE-2017-6026 CVE-2017-6028

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/22a15de3-2f39-47ef-b829-21def9d37f77