Schneider Electric Modicon Modbus Protocol

Act Now10ICS-CERT ICSA-17-101-01Apr 11, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Modicon Modbus protocol contains a vulnerability that allows remote exploitation without authentication. The protocol uses cleartext communication without cryptographic protections, enabling attackers to intercept, modify, or inject commands into industrial control systems that rely on Modbus for communication between PLCs, RTUs, and human-machine interfaces. This affects all versions of the protocol.

What this means

What could happen

An attacker on your network can intercept or modify commands sent over Modbus, potentially altering process setpoints, halting equipment, or causing unsafe operational states in your PLC-controlled systems without requiring any authentication credentials.

Who's at risk

Water utilities, municipal electric utilities, and any organization relying on Schneider Electric Modicon PLCs, RTUs, and SCADA systems using the Modbus protocol for device communication. This affects any site where Modbus is used to control critical equipment such as pump stations, substations, or generator controls.

How it could be exploited

An attacker with network access to your Modbus network (TCP port 502 or serial Modbus connections) can passively capture cleartext Modbus frames to read state information, or actively inject malicious Modbus commands to manipulate PLC registers and coils, controlling connected equipment like pumps, motors, or valves.

Prerequisites

Network access to Modbus TCP (port 502) or serial Modbus interface
No authentication required
Modbus device must be operational and responding to protocol traffic

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects critical industrial control devices

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Modicon Modbus protocol: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGImplement network segmentation to isolate Modbus networks from untrusted networks and the internet using firewalls or industrial demilitarized zones (DMZ)

WORKAROUNDDeploy access controls to restrict which devices can communicate on Modbus networks—limit device-to-device communication to only necessary PLC-to-RTU or HMI-to-PLC pairs

WORKAROUNDDisable Modbus TCP on public-facing interfaces; use only where necessary on isolated control network segments

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor Modbus network traffic for unauthorized or anomalous commands using network intrusion detection systems or protocol analyzers

Mitigations - no patch available

0/1

Modicon Modbus protocol: all versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement VPN or encrypted tunnels for any remote Modbus communication if remote management cannot be eliminated

CVEs (2)

CVE-2017-6034 CVE-2017-6032

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b32e5a43-c5e7-43da-8088-239bd56f85d1