Schneider Electric Modicon M221

Plan Patch7.7ICS-CERT ICSA-18-240-01Aug 28, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The Modicon M221 PLC contains authentication weaknesses (CWE-204, CWE-284) that allow attackers to replay authentication sequences, overwrite stored passwords, or extract and decode passwords through network access to port 502 (Modbus TCP). An attacker with access could reprogram the controller or alter its operational parameters without valid credentials. The vulnerability affects all Modicon M221 firmware versions prior to v1.6.2.0.

What this means

What could happen

An attacker could replay stored authentication sequences, overwrite controller passwords, or extract and decode passwords from the Modicon M221 PLC, potentially gaining control to reprogram logic or alter process setpoints.

Who's at risk

Water and electric utilities using Schneider Electric Modicon M221 programmable logic controllers (PLCs) for process automation should be concerned. Any organization running M221 controllers for critical operations like pump control, valve positioning, or system monitoring is at risk if the device is reachable from their network.

How it could be exploited

An attacker with network access to port 502 (Modbus TCP) can capture and replay authentication handshakes, or attempt to overwrite password storage in the controller's memory. The attack does not require user interaction but does require understanding of the Modicon M221's authentication mechanism and moderate technical skill.

Prerequisites

Network access to port 502 (Modbus TCP)
No valid credentials required for initial exploitation
Knowledge of Modicon M221 authentication protocol implementation

remotely exploitableno authentication required for initial exploitationaffects PLC reprogramming capabilitypassword storage weakness

Exploitability

Moderate exploit probability (EPSS 1.1%)

Affected products (1)

ProductAffected VersionsFix Status

Modicon M221 all references: all< 1.6.2.01.6.2.0

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDBlock all remote/external access to port 502 at the firewall

WORKAROUNDDisable all unused protocols in the M221 application, especially the programming protocol

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Modicon M221 firmware to v1.6.2.0 or later via SoMachine Basic v1.6 SP2

Long-term hardening

0/2

HARDENINGIsolate the Modicon M221 and control system network from the business network

HARDENINGEnsure control system devices are not accessible from the Internet

CVEs (3)

CVE-2018-7790 CVE-2018-7791 CVE-2018-7792

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/73835ec5-5ebe-4df5-924a-f8cef63c9409