OTPulse
FeedAboutContact

Schneider Electric Modicon Controllers

Monitor5.4ICS-CERT ICSA-19-136-01May 16, 2019
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A weakness in TCP connection handling in Modicon controllers allows an attacker on the same network segment to hijack connections or cause information leakage. The vulnerability affects Modicon Premium (all versions), Modicon M580 (firmware versions before 2.30), Modicon Quantum (all versions), and Modicon M340 (all versions). No firmware patches are planned by Schneider Electric. Mitigation requires network isolation, firewall rules, and Access Control List configuration.

What this means
What could happen
An attacker on the same network segment could hijack TCP connections to these controllers or extract sensitive information, potentially allowing them to intercept or redirect commands to industrial equipment.
Who's at risk
Energy utilities and industrial operators using Modicon Premium, M580, Quantum, or M340 controllers for process automation and SCADA operations. These controllers are commonly deployed in electrical substations, water treatment facilities, and power generation plants where process integrity is critical.
How it could be exploited
An attacker with network access to the same subnet as the Modicon controller can craft malicious TCP packets to hijack existing connections or intercept unencrypted communications. This could be used to redirect process commands or exfiltrate operational data.
Prerequisites
  • Network access to the same subnet or VLAN as the Modicon controller
  • Access to TCP ports used by the controller (typically Ethernet messaging ports)
  • No authentication required
remotely exploitableno authentication requiredlow complexityno patch availableaffects industrial control systems
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
Modicon Premium: all versionsAll versionsNo fix (EOL)
Modicon M580: firmware< 2.30No fix (EOL)
Modicon Quantum: all versionsAll versionsNo fix (EOL)
Modicon M340: firmware all versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDDeploy a firewall to block all inbound remote and external access to Modicon TCP ports; allow only internal trusted engineering workstations and SCADA servers
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGConfigure Access Control Lists on the Modicon controller per Schneider Electric's user manual (Messaging Configuration Parameters section) to restrict which hosts can communicate with the controller
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: Modicon Premium: all versions, Modicon M580: firmware, Modicon Quantum: all versions, Modicon M340: firmware all versions. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate Modicon controllers from untrusted networks using VLANs or separate network switches
HARDENINGMonitor network traffic to and from Modicon controllers for unauthorized connection attempts or anomalous patterns
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/33af8d25-d36c-42c1-8d18-a2a685645676
Schneider Electric Modicon Controllers | CVSS 5.4 - OTPulse