Schneider Electric Modicon Controllers (Update A)

Plan Patch7.5ICS-CERT ICSA-20-016-01Jan 16, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Schneider Electric Modicon controllers (CWE-754) can be exploited remotely with no authentication to cause a denial-of-service condition. Affected products are Modicon Premium, Modicon Quantum, Modicon M580, and Modicon M340. Successful exploitation results in the controller crashing and stopping industrial process operations until manual restart.

What this means

What could happen

An attacker could crash Modicon controllers, causing a denial-of-service condition that would stop your industrial process until the device is manually restarted.

Who's at risk

Energy sector organizations operating Modicon controllers (Premium, Quantum, M580, M340) should prioritize this. These are programmable logic controllers that manage power generation, distribution, and critical industrial processes. Any organization using Modicon controllers for essential operations is at risk.

How it could be exploited

An attacker with network access to a Modicon controller sends a malformed network request that triggers an unhandled exception in the device firmware. The controller crashes and stops responding to legitimate commands, requiring manual restart.

Prerequisites

Network access to the Modicon controller (Ethernet port 502 or other service port)
No authentication required to send the malicious request

remotely exploitableno authentication requiredlow complexityaffects critical infrastructureaffects multiple controller models

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Modicon Premium: all< 3.203.20

Modicon Quantum: all< 3.523.60

Modicon Quantum: all< 3.603.60

Modicon M580: all< 2.803.10

Modicon M340: all< 3.013.20

Remediation & Mitigation

0/9

Do now

0/3

HARDENINGPlace all Modicon controllers behind a network firewall and isolate from business network

HARDENINGEnsure Modicon controllers are not accessible from the Internet

HARDENINGNever leave Modicon controllers in Program mode; set to Run mode when not actively programming

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXApply Modicon M580 firmware version 3.10 or later

HOTFIXApply Modicon M340 firmware version 3.20 or later

HOTFIXApply Modicon Premium firmware version 3.20 or later (contact Schneider Electric for availability)

HOTFIXApply Modicon Quantum firmware version 3.60 or later (contact Schneider Electric for availability)

Long-term hardening

0/2

HARDENINGRestrict physical access to Modicon controllers and engineering workstations to authorized personnel only

HARDENINGScan all mobile media (USB drives, external storage) before connecting to control network

CVEs (3)

CVE-2019-6857 CVE-2019-6856 CVE-2018-7794

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a36f7a44-f2ad-4d35-a3a2-8a6e85f0864d