Schneider Electric Modicon M221 PLCs and SoMachine Basic (Update A)

Plan PatchCVSS 10ICS-CERT ICSA-17-103-02AApr 13, 2017

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Schneider Electric Modicon M221 PLCs and SoMachine Basic contain multiple vulnerabilities (CWE-321, CWE-693) that allow remote code execution without authentication. The M221 is a compact programmable logic controller used in industrial control systems. SoMachine Basic is the engineering software for programming and configuring these PLCs. A remote attacker can exploit these vulnerabilities to execute arbitrary commands on affected systems, potentially bypassing cryptographic controls and validation mechanisms. Affected firmware versions: M221 <= 1.5.0.1, SoMachine Basic > 1.5.

What this means

What could happen

An attacker could remotely execute commands on your M221 PLC without entering credentials, allowing them to modify control logic, alter process setpoints, or halt operations. This could cause uncontrolled equipment behavior, process stoppage, or unsafe conditions.

Who's at risk

Water and electric utilities, wastewater treatment facilities, and manufacturing operations using Schneider Electric Modicon M221 PLCs for process control should assess their exposure. This is critical for any facility where the M221 controls pumps, valves, motors, or other safety-critical equipment. SoMachine Basic users should also verify they are not running vulnerable versions on systems with network access to M221 devices.

How it could be exploited

An attacker can send specially crafted network packets to the M221 PLC on its industrial protocol port (typically Modbus TCP, port 502) from anywhere with network access. No authentication or special configuration is required. Public exploits are available, making this easily exploitable by attackers with basic networking knowledge.

Prerequisites

Network connectivity to the M221 PLC on port 502 (Modbus TCP or engineering interface port)
No credentials or authentication required

remotely exploitableno authentication requiredlow complexityno patch availablepublic exploits availableaffects control system logic execution

Exploitability

Some exploitation risk — EPSS score 1.3%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

All Modicon M221 PLCs with: firmware≤ 1.5.0.1No fix (EOL)

SoMachine Basic: > 1.5> 1.5No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate M221 PLCs from untrusted networks using network segmentation (VLAN, firewall rules). Restrict access to port 502 and engineering software ports to authorized workstations only.

WORKAROUNDIf M221 devices must remain on shared networks, implement firewall rules to block inbound connections from untrusted sources to the PLC's industrial protocol ports.

WORKAROUNDDisable remote access to M221 engineering interfaces and Modbus TCP ports if not required for normal operations.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement network monitoring and intrusion detection to alert on unauthorized attempts to access M221 PLCs on port 502.

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: All Modicon M221 PLCs with: firmware, SoMachine Basic: > 1.5. Apply the following compensating controls:

HARDENINGEvaluate replacement or retirement of Modicon M221 PLCs with newer Schneider Electric PLC models that receive active security updates.

CVEs (2)

CVE-2017-7574 CVE-2017-7575

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9ffeda22-f73d-49e3-b11d-88375103d7a4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.