Schneider Electric Modicon Premium, Modicon Quantum, Modicon M340, and Modicon BMXNOR0200

Monitor5.9ICS-CERT ICSA-18-086-01Mar 27, 2018

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

Schneider Electric Modicon PLCs (Premium, Quantum, M340, and BMXNOR0200) contain multiple vulnerabilities in cryptographic implementations and credential management. The devices use weak cryptographic algorithms (CWE-327), hardcoded credentials (CWE-798), and are vulnerable to buffer overflow attacks (CWE-121). These flaws allow an attacker with network access and engineering credentials to execute unauthorized commands, modify control logic, or crash the PLC. No firmware patches are available from the vendor for any affected product line.

What this means

What could happen

An attacker with engineering credentials can trigger a denial-of-service condition or manipulate critical control logic on Modicon PLCs, potentially disrupting industrial processes like power generation or distribution. The devices use weak cryptography and hardcoded credentials, making authentication bypass possible.

Who's at risk

This affects all Modicon PLC models (Premium, Quantum, M340, and BMXNOR0200 RTUs) used in power generation and distribution systems, water treatment facilities, and other critical infrastructure where process control and safe operation depend on PLC integrity.

How it could be exploited

An attacker on the network with valid engineering workstation credentials can send specially crafted packets to port 502 (Modbus TCP) or the engineering protocol port to execute unauthorized commands, modify control logic, or crash the PLC. Exploitation requires local network access but no high technical skill due to publicly available tools.

Prerequisites

Network access to the PLC from engineering workstation segment or Internet if not firewalled
Valid engineering credentials or ability to use hardcoded default credentials
Access to engineering communication port (typically port 502 for Modbus)

remotely exploitableno authentication required (hardcoded credentials)low complexityno patch availableaffects safety-critical systemsdefault credentials

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

Modicon Quantum: all versionsAll versionsNo fix (EOL)

Modicon M340: all versionsAll versionsNo fix (EOL)

Modicon X80 RTU (BMXNOR0200H): all versionsAll versionsNo fix (EOL)

Modicon Premium: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/4

HARDENINGImplement firewall rules to block all inbound access to Modicon PLCs from external networks and business network segments; restrict engineering access to dedicated jump hosts

HARDENINGIsolate all Modicon PLC networks from the business network using air-gap or VLAN segmentation with strict access controls

HARDENINGChange all default engineering credentials and implement strong password policies for engineering workstations and PLC access accounts

WORKAROUNDDeploy VPN with current patches and strong encryption for any required remote engineering access; verify VPN is updated to latest firmware version

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGDisable remote access ports on Modicon PLCs if not actively required for operations; document all required remote connections

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Modicon Quantum: all versions, Modicon M340: all versions, Modicon X80 RTU (BMXNOR0200H): all versions, Modicon Premium: all versions. Apply the following compensating controls:

HARDENINGMonitor engineering port traffic (502, engineering protocol) for suspicious activity and unauthorized credential use

CVEs (3)

CVE-2018-7240 CVE-2018-7241 CVE-2018-7242

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/71374e0d-448f-4fc4-a88a-1c9a78bff3a6